“Antivirus is dead!” proclaimed Brian Dye, senior VP at security firm Symantec recently. Far from being an unguarded “Ratner” moment by a company best known for its Norton antivirus software, this was a deliberate (and rather successful) attempt to grab the headlines to highlight the multitude of novel methods that have become available to attackers since the humble virus first emerged many years ago (and to position Symantec as the partner of choice in the battle against blended threats, naturally).
“Antivirus is insufficient!” would have been much less of a head turner, nevertheless it is a far more accurate statement of fact. According to Dye himself, antivirus software still catches roughly half of all malware, but additional tools and technologies are obviously required to stop the rest and to protect the modern online business and its users against the ever-changing tactics and toolkits of criminals, hackers and spies.
As well as putting appropriate defences in place, companies need to educate staff and implement broad security policies beyond simply installing antivirus software to keep their systems safe. And for antivirus read firewall too. The era in which the firewall could be guaranteed to keep almost all attacks at bay passed as soon as data started to be held outside of the LAN, and the relative effectiveness of perimeter security has continued to decline ever since.
According to a recent report from the UK Department for Business, Innovation and Skills, for example, 93 per cent of large businesses suffered a security breach of some kind in 2013 while small businesses, once seen as far less of a target, reported a big rise in attacks, with 87 per cent experiencing a security breach, up from 76 per cent just a year before.
With threat levels rising, Computing surveyed 120 IT leaders at organisations spanning all sectors and sizes, but with the sample weighted towards smaller companies, to find out their perceptions of what constitute the most serious dangers and the measures they are taking to combat them.
Spending to save
The survey kicked off by asking about the proportion of the overall IT budget allocated to the security function within each respondent’s organisation. A worrying handful said they allocated nothing at all, but the majority (64 per cent) were far less complacent, spending up to 10 per cent of their IT budget on security measures (figure 1).
Unfortunately, when it came to gaining an understanding of the risks faced by their organisations in order to direct their budget most effectively, respondents proved to be something of a mixed bunch, with 19 per cent having never formally carried out an assessment at all. Only half carry out a formal risk assessment on a regular basis.
When it came to rating and prioritising potential threats, the Computing survey uncovered some very interesting and surprising results.
For example, when presented with a comprehensive list of security concerns, current hot-button issues relating to the growing use of portable USB devices, cloud, mobile computing and social networking were rated as posing only a limited threat to the business, as were simple malware infections – viruses, Trojans and so on (figure 2).
The two most serious threats were thought to be insecure user passwords and the theft of data or intellectual property (IP) by insiders, who could be either employees or others with legitimate access to the corporate network.
Spam email (a favourite vehicle for delivering malware) and lack of security awareness among staff were also rated highly in terms of potential threats, so it could be that the IT heads surveyed were taking a mental step back and looking at the underlying causes of vulnerability rather than the specific agents of threat themselves, but the results were unexpected nevertheless.
Turning to the measures that companies take to protect themselves, providing for extensive backup and disaster recovery measures came top of the list overall. Defence against malware both on the server and the endpoint was next – suggesting that antivirus certainly isn’t dead just yet – followed by VPN encryption for remote user access.
Interestingly, given the perceived danger represented by insecure user passwords noted above, creating a strict password policy with strong passwords and regular changes was only fifth on the list (figure 3).
Another surprise was that having a strict BYOD policy was seen as a priority for a mere four per cent of the respondents, although this figure will reflect the limited number of organisations that have rolled out BYOD in earnest. Similarly, rogue access point detection scored just two per cent while a guest Wi-Fi network got a derisory single vote.
It would seem, then, that when it comes to security, those in charge see the main threats as deriving from the same sources as they always have done, and are devoting the majority of their efforts to countering them in traditional ways. While newer danger areas are certainly on the radar they are not yet given the priority accorded to malware protection and VPNs.
As is often the case, the reality on the ground is at some remove from the pronouncements of the vendors and analysts, which typically project 12 or 24 months into the future. For now backup and recovery tools are still the only way of recovering quickly from both security breaches and simpler hardware and software failures, guaranteeing the ability to restore the status quo and enable the business to carry on trading.
Likewise, patching for known vulnerabilities is seen as better than trying to deal with the aftermath of attacks and filters to block viruses and other common malware infections are reliable even if they are not the complete solution.
New foes may be coming over the horizon, but the old dragons have not been slain just yet.