Increased use of mobile devices, especially smartphones, in addition to the transition to virtualization, are key factors weighing on enterprises trying to sort out security strategy and budgets, according to a survey of 688 information and security managers.
According to the Ponemon Institute's "State of the Endpoint" study released this week, there are serious signs that IT operations and IT security often fail to work as a team. Forty percent say collaboration is "poor or non-existent" and 48% call it "adequate, but can be improved." Virtualization, mainly VMware and Microsoft Hyper-V, are increasingly the software platforms their organizations support, and 55% say virtualization does require "additional security measures," with most turning for help with that to the virtualization vendor or vendors with specialized virtualization security components.
But a surprising 41% indicated responsibility for virtualization security isn't clearly defined by department or function. Additionally, 21% said IT security was responsible, 15% said IT operations was and 11% said it was the job for IT compliance.
Mobile devices — especially the use of employee-owned devices for work purposes — are also putting new stress on the IT department, according to the survey, which was sponsored by Lumension. The survey shows that mobile devices, especially smartphones, are counted as among "the greatest rise of potential IT security risk."
Use of personal mobile devices for work appears to be growing rapidly. Seventeen percent of the survey's respondents said more than 75% of the organization's employees use their personal devices in the workplace; 20% said more than half did.
Roughly half allow some level of connectivity to the corporate network and indicated they "secure them in a manner similar to that already in place for corporate devices;" 12% claimed security standards were even stricter. Twenty-one percent said they allow no such use, while a similar number said they are planning to allow it.
A quarter of the survey's respondents said they use mobile-device management (MDM) of some kind today and 45% indicated that use would increase in the next 12 months. And whereas only 9% in 2010 cited mobile devices such as smartphones as an area of the greatest risk to the enterprise, this year 48% did.
Microsoft operating systems and applications — still predominant in corporate use — are seen as most vulnerable to overall IT risks, though slightly less than 2010 when the question was also asked. There is also deep concern about possible vulnerabilities in third-party applications. And there's growing nervousness about the Apple Mac operating system, with 25% listing it in their top-three greatest concerns. That's up from 15% last year who said they were worried about the Mac and malware.
In addition, 41% of IT managers are now "very concerned" about Mac malware infections, and another 44% are "increasingly concerned."
Malware in general continues to be the plague disrupting IT security, according to the survey. About a third cited a "major increase" in all types of malware incidents over last year, and 22% claimed there was a "slight increase." The vast majority of the organizations in the survey use anti-virus software, according to the survey and found it useful, though 21% dissed antivirus/anti-malware as "not effective at all."
But according to the survey, 43% said there were more than 50 "malware attempts or incidents" that their IT organizations had to deal with monthly. That was up from 27% that said that last year. Thirty-two percent said IT coped with between 26 to 50 monthly malware attempts and incidents, 13% said 11 to 25, and only 12% cited less than that.
About 90% cited "web-borne malware attacks" as a source, with "zero-day attacks" the incident that was "the biggest headache." Thirty-six percent believe their organization have been subject to "targeted attacks" aimed specifically at them for purpose of infiltrating the organization.