IT managers are divided as to whether moving to virtualisation and cloud computing makes network security easier or harder?
The "2010 State of Enterprise Security Survey - Global Data report, shows that about one-third believe virtualisation and cloud computing make security "harder," while one-third said it was "more or less the same," and the remainder said it was "easier."
Although endpoint virtualisation is widely believed to trail server-based virtualisation, 8 percent of the respondents to the survey, was done by Applied Research on behalf of Symantec, said they had implemented the former, 16 percent were in the course of implementing it, 9 percent were in a "trial stage," 26 percent had plans for it and 25 percent were in "early discussion," whereas 16 percent weren't considering it.
There are signs of some movement towards cloud computing, 40 percent of the respondents indicated their organisations were currently using applications in the cloud in some way - yet 40 percent said it would be more difficult to prevent or react to data loss under their firm's cloud-computing strategy.
And when asked "Does your cloud-computing strategy make the risk of losing data bigger or smaller?" 38 percent said it would be higher, with the reminder pretty much split saying it would be the same or lower. The answers broke the same way on the question of virtualisation strategy.
To explain such different perceptions about the security impact of virtualisation and cloud computing, Matthew Steele, Symantec director of strategic technology, said the best way to understand these answers is to know that "if they had a real security background, they immediately got concerned. But if they care for IT operations, they were thinking about it from an IT optimisation standpoint." And the middle-of-the-road responses - it's all "more of less the same" - tended to originate from those with budget responsibilities. "If the business is still moving, things are OK," Steele remarked.
The survey showed that the median annual budget for enterprise security in 2010 is $600,000, an 11 percent increase over 2009, with yet another 11 percent increase anticipated in 2011. But despite incremental budget growth, the survey's respondents - who hail from banking, healthcare, telecommunications and other sectors as well as local and federal government agencies - often indicated they had a hard time finding and retaining security personnel.
Difficulty in finding the right expertise was a driver in all manner of outsourcing, including use of managed security services, which about half the organisations used. But only about half were truly "satisfied" with outsourcing arrangements, even as they contemplated expansion into software-as-a-service, platform-as-a-service, and infrastructure-as-a-service, which Symantec defined as everything from use of Google Apps to full-blown hardware and operating system rental on demand, making up today's evolving concept of "cloud computing."
When it comes to cyberattacks and data loss, the situation looks bleak based on the responses in the report.
Three quarters of respondents said their organisation had experienced cyberattacks in the past 12 months, with 36 percent calling them "somewhat/highly effective." The annual cost of a cyberattack was pegged at more than $2 million for large enterprises when tallying up lost productivity, theft of intellectual property, loss of customers, legal fees and more.
"Every day we see new viruses, new spyware, new backdoors. It is beyond crazy," one IT director is quoted as saying. The survey showed the most frequent types of attacks were malware implantation, social-engineering ploys and denial-of-service (DoS) attacks.
On average, web properties were targeted twice last year with the implanting of malware, and also suffered one significant DoS attack and one theft of information.
Data losses were attributed to numerous sources, including outsiders (20 percent) and accidental insider actions (15 percent).
Healthcare providers specifically reported 58 percent of data loss was accidental exposure of patient information, 22 percent was theft, with identity theft and even malware attacks on medical equipment a problem as well.
Patching is regarded by 87 percent of the respondents as one of the most effective measures to ward off cyberattacks, with about three quarters also putting trust in perimeter security and authentication processes, along with antimalware controls.
According to the survey, a surprising 20 percent of Windows-based PCs in use by employees were selected, purchased and owned by the employee, along with 12 percent of their laptops and 6 percent of smartphones. But 52 percent of the survey's IT and security pros viewed that as something that could compromise security.
With Windows 7 just released, one survey question on that topic indicated that 19 percent had "no plans" to use Windows 7, but 9 percent already had, and the rest were discussing or had plans for it. In all, 72 percent of the survey's respondents think Windows 7 offers improved security over previous Windows versions.
Finally, in something of a blow to Symantec and other security vendors, the survey asked telecom companies who they considered their main security vendor and the found about two-thirds said "network equipment providers" and only a third said "security companies."