|McAfee report exposes contradictions in security perception vs. reality
McAfee announced the State of Security report, showing how IT decision makers view the challenges of securing information assets in a highly regulated and increasingly complex global business environment. The report also reveals companies’ IT security priorities around processes, practices and technology for 2012. As the corporate data environment expands, effective information security is possible only by creating a Strategic Security Plan (SSP), which incorporates a comprehensive threat analysis and an in-depth layered security risk mitigation approach. The survey also identified some of the key trends facing today’s enterprises in the development of their SSP’s.
The survey respondents categorized themselves into various states of security maturity. These categorizations help to understand the mindset of the companies as they view enterprise information security. The terms below are used to describe the level of security maturity of
- Reactive - uses an ad hoc approach to defining security processes and is event-driven. Nine per cent of the surveyed companies claim to be at this stage.
- Compliant - has some policies in place, but has no real
standardization across security policies. The organization adheres to some security standards or the minimum required. Thirty-two per cent of the surveyed companies claim to be at this stage.
- Proactive - follows standardized policies, has centralized
governance, and has a degree of integration across some security solutions. Forty three per cent of the surveyed companies claim to be at this stage.
- Optimized - follows security industry best practices and maintains strict adherence to corporate policy. The organization utilizes automated security solutions that are highly integrated across the enterprise. Sixteen per cent of the surveyed companies claim to be at this stage.
“Every organization needs to take a layered approach to security, utilizing both processes and solutions designed to prevent compromise. Complicating the challenge of managing risk and securing data is the fact that ‘the enterprise’ now extends far beyond office walls and perimeter firewalls,” said Jill Kyte, vice president at McAfee.
“Companies are giving network access to business partners and contract workers, and in some cases, even to customers. Workers access the enterprise network remotely using mobile devices, many of which are personally owned and not controlled by the company whose network they access. Moreover, data and applications are being moved into public and hybrid cloud environments, where the data owners have little direct control over security. All of this requires a business to have a Strategic Security Plan.”
The key findings included:
- Organizations are confident about identifying the most critical threats to their environments and knowing where their critical data resides. However, most companies are not confident about quantifying the potential financial impact of a breach, should one occur.
- Organizational awareness and protection against information security risks is very important. However, one-third of the
“Optimized” companies are uncertain about their IT security
posture in terms of awareness and protection. Despite having formal strategic plans, 34 per cent of the companies believe they are not adequately protected against information security risks that could impact their business.
- A majority of the respondents indicated that as they develop SSPs, they include consideration of potential threats and the associated risk to business, and financial analysis. Yet, four out of five companies experienced a significant security incident in the past 12 months.
- Almost a third of organizations surveyed have either not purchased or not yet implemented many of the next-generation security technologies that are designed to address current-day threats. Yet more than 80 per cent of the organizations identify malware, spyware and viruses as major security threats.
- Two out of every five organizations have either an informal or ad hoc plan or no SSP in place. The size of the organization matters when it comes to having a formal SSP. Six of every 10 large enterprises have a formal SSP, two out of every three mid-size enterprises has a formal SSP, while this ratio dips to only one in two for small enterprises.
- Organizations in North America and Germany are more likely to have a formal SSP than those organizations in other regions of the world. This may be attributed to the regulatory environments in those countries.
- Top priorities for 2012 include implementing stronger controls to protect sensitive data and ensuring business continuity. The lowest priority is to reduce capital and operating expenditures for security infrastructure, indicating that organizations are willing to spend on the right kind of security solutions.
While organizations are working on their SSPs and are doing their best toward protecting business systems and critical data, there is much room for improvement.
[March 6, 2012]
- Step up to a higher security maturity level. Only 16 per cent of the survey respondents classify their organizations as being at the “Optimized” level. Worse, however, is the fact that nine per cent of the organizations are “Reactive” in their approach to IT security.
- Executive involvement is crucial. While IT and security personnel may take the lead in developing the plan, it’s important to have insight from those who best understand the business systems and the data they use. Moreover, executive involvement is critical to set the tone for the importance of security throughout the organization.
- Test early, test often, and make adjustments as needed. What good is a plan if it is developed and put on a shelf, or if it is never tested? Unfortunately we learned that 29 per cent of “Compliant” companies never test how they would respond to an incident. What’s more, 79 per cent of the surveyed companies experienced security incidents in the past year - indicating there are gaps in the plans that must be addressed.
- Use budget allocations wisely. Though every manager would like to have a bigger budget to be able to apply more safeguards, the “Optimized” companies have found ways to reach the highest level of performance with the same level of funding (percentage-wise) as the companies who are less prudent with their budgets.
- Use the right tools for the current threats. The survey shows that 45 per cent of the companies haven’t deployed next-generation firewalls. Mobile security is another area that should not be ignored, yet 25 per cent of the organizations have not purchased any tools for this purpose.
- Focus on protecting the lifeblood of the company-the sensitive corporate data. The top priorities for 2012 include implementing stronger controls to protect sensitive data and ensuring business continuity. Additional high priority activities are all meant to improve each organization’s overall security posture.
Send this IT news to a friend
Other IT news about McAfee
McAfee Launches Smart Perimeter Beta - First of Its Kind Security Feature to Alert Users If Their Devices Go Missing (June 11, 2013)
McAfee Quarterly Threat Report Sees Social Media Worm Resurgence as Spam Rises Dramatically (June 3, 2013)
McAfee Canada Volunteers Educate More Than 2,000 Students and 300 Parents About Online Safety and Cybersecurity (May 30, 2013)
McAfee Simplifies Mobile Device Management and Data Security (May 29, 2013)
McAfee Transforms Endpoint Security Market with Industry’s First Chip-to-Application Coverage (May 29, 2013)
McAfee Sets New Standard for Network IPS Performance (May 10, 2013)
McAfee Report Details Risks to Retailers Through Point of Sale Systems (April 8, 2013)
McAfee Predicts Rapid Evolution of Cyberthreats in New Year (January 2, 2013)
McAfee Threats Report Shows Global Expansion of Cybercrime (November 14, 2012)
McAfee, Xerox Reveal Solution for Protecting Print Devices and Data (October 25, 2012)
McAfee Announces McAfee Vulnerability Manager (October 25, 2012)
McAfee Advances Endpoint Security to Reach Highest Levels of Protection and Performance (October 24, 2012)
McAfee Launches New Data Centre Security Suites (October 15, 2012)
McAfee Names IT Industry Veteran Luc Villeneuve to Lead its Canadian Operations (September 24, 2012)
McAfee Helps Protect Windows 8 (September 18, 2012)
McAfee Threats Report Shows Largest Malware Rise in Four Years (September 4, 2012)
New Version of McAfee Mobile Security Provides Advanced Privacy Features For Smartphone and Tablet Users (August 20, 2012)
McAfee Commentary in Response to Yahoo! Security Breach (July 13, 2012)
McAfee Keeps Consumers Connected After DNS Access Cut Off (July 9, 2012)
McAfee Canada Launches New Resource Website: The State of Consumer and Enterprise Security in Canada (June 29, 2012)
Pacific Northwest National Laboratory Report Reveals Dramatic Increase in Cyber Threats and Sabotage on Critical Infrastructure and Key Resources (June 19, 2012)
McAfee Report Reveals a Disconnect Between Perceived and Real Security Levels in Canadian Governments (June 14, 2012)
McAfee Extends its Security Leadership in the Cloud and Enhances its Cloud Security Platform (June 12, 2012)
McAfee Risk and Compliance Outlook Report Finds SIEM and Database Security Are Top Priorities (May 29, 2012)
McAfee Q1 Threats Report Finds Significant Malware Increase Across All Platforms (May 23, 2012)
McAfee Aims to Protect Critical Infrastructure from Increased Attacks (May 15, 2012)
McAfee Increases Focus on Growing SMB Market (May 14, 2012)
McAfee Unveils the First Situational and Risk Aware SIEM (April 24, 2012)
McAfee experts launch book to help security-obligated executives (March 2, 2012)
McAfee Mobile Security Software Available on New Lenovo ThinkPad Tablets (January 18, 2012)
McAfee Labs 2012 Threat Predictions Include High-Profile Industrial Attacks, Cyberwarfare Demonstrations and New Hacktivist Targets (January 3, 2012)
McAfee whitepaper - Securing Mobile Devices (December 8, 2011)
McAfee Warns Consumers of the “12 Scams of Christmas” (November 10, 2011)
McAfee Takes Cloud Computing Security to the Next Level (November 7, 2011)
McAfee Announces Initiatives to Help Drive Partner Profitability (October 24, 2011)
McAfee Shares Vision for Bringing Mobile Devices into the Security Infrastructure (September 21, 2011)
McAfee Reveals Details of Targeted Attacks - Shady RAT: Canadian government a target (August 3, 2011)
McAfee Reminds Canadians to Beware the "The Twelve Scams of Christmas" (December 16, 2010)
Bell launches secure Internet service for small and medium size enterprises (October 19, 2010)
Intel to Acquire McAfee for approximately $7.68 billion (August 19, 2010)
McAfee, Inc. Launches Program for Added Security in the Cloud (March 17, 2010)
Facebook and McAfee Partner to Make the Internet More Secure (January 15, 2010)
Telos Achieves Technology Partner Status in McAfee Security Innovation Alliance (January 14, 2010)
McAfee Labs Predicts Facebook, Twitter Will Be Platforms of Choice for Emerging Threats (January 4, 2010)
McAfee Releases Fastest, Most Convenient Way for Consumers to Fix Computer Problems, Remotely (December 15, 2009)
McAfee, Inc. to Deliver Network Security IPS Solution with Integrated Zero-Day Malware Protection (December 9, 2009)
McAfee, Inc. Warns Consumers about “The Twelve Scams of Christmas,” or Popular Online Attacks This Holiday Season (November 23, 2009)
McAfee Inc. Warns of Countries Arming for Cyberwarfare (November 18, 2009)
McAfee, Inc. Reports Average Midsize Company Lost $43,000 to Security Breaches Last Year (October 29, 2009)
McAfee, Inc. Announces Strategy to Lead Email Security Market (October 20, 2009)
McAfee, Inc. Announces Grants and New Council Member in Initiative to Fight Cybercrime (October 14, 2009)
Verizon Business and McAfee Form Strategic Alliance (October 9, 2009)
McAfee, Inc. Gears Up to Launch New Online Support Community (October 7, 2009)
McAfee, Inc. Names Jessica Biel the Most Dangerous Celebrity in Cyberspace (August 26, 2009)
McAfee, Inc. to Acquire MX Logic and Provide Industry’s Most Comprehensive Security-as-a-Service Portfolio (August 4, 2009)
McAfee President and CEO Dave DeWalt Unveils "Predictive Security" Vision (April 24, 2009)
McAfee Partners with Network Frontiers to Streamline Compliance for Customers (April 20, 2009)
Absolute and McAfee Partner to Offer Consumers Absolute’s Computrace LoJack for Laptops (April 10, 2009)
Rocky Mountain RAM Introduces McAfee Anti-Virus Enabled Flash Drives for the Government Market (April 8, 2009)
Conficker Is No Joke, Says McAfee, Inc. (April 1, 2009)
Cybercriminals snub "Slumdog Millionaire" for "Frost Nixon," says McAfee (February 20, 2009)
McAfee, Inc. Predicts Slumping Economy Driving Malware Threats (January 21, 2009)
Liquid Machines and McAfee Announce Partnership to Integrate Data Loss Prevention and Enterprise Rights Management (December 9, 2008)
ArcSight and McAfee Integrate Flagship Security and Compliance Platforms (November 25, 2008)
McAfee completes acquisition of Secure Computing (November 20, 2008)
Seagate and McAfee Drive Advances in Self-Encrypting Notebook Computers (November 11, 2008)
McAfee Research reveals mothers rate cyber dangers as high as drunk driving or experimenting with drugs (October 24, 2008)
McAfee and Commvault form strategic alliance (October 21, 2008)
McAfee announces support for Intel-based Laptops and Mobile Internet Devices (August 21, 2008)
McAfee completes acquisition of Reconnex (August 15, 2008)
McAfee to provide security software on HP commercial PC (August 8, 2008)
McAfee teams up with Toshiba to provide comprehensive security suite for new computers (August 4, 2008)
McAfee agrees to acquire Reconnex for $46 million in cash. (August 1, 2008)
McAfee participates in VMWare Alliance Affiliate Initiative (July 2, 2008)
McAfee launches anti-theft protection for consumers and small business (June 16, 2008)
YAHOO! and McAfee Partner to Make Searching the Web More Secure For Users (May 7, 2008)
McAfee announced exclusives partnership with Acer (April 30, 2008)
McAfee delivers McAfee M-8000 Network Security Platform and the McAfee Content Security Blade Server (April 23, 2008)
McAfee Releases GroupShield 7 for Microsoft Exchange and Lotus Domino (December 26, 2007)
McAfee Inc. Offers Tips for a Spam-Free Summer (June 27, 2007)
McAfee Inc. Releases 2007 ’North America Criminology Report: Organized Crime and the Internet’ (June 5, 2007)
McAfee, Inc. Provides One of the First Solutions to Achieve ICSA Anti-Virus Certification for Microsoft Windows Vista (February 13, 2007)
McAfee company to provide solution to protect Microsoft Exchange Server 2007 (February 6, 2007)
McAfee Reports on Online Identity Theft Trends (January 15, 2007)
McAfee Inc. Names Jeff Green Head of McAfee Avert Labs (November 20, 2006)
One-Millionth McAfee-Protected msystems U3 Smart Drive Ships (November 9, 2006)
McAfee, Inc. Reports Botnets Threaten National Infrastructure and Security (October 24, 2006)
McAfee SiteAdvisor Spam Quiz Finding: Intuition Not Enough to Spot ’Spammy’ Sites (September 26, 2006)
McAfee, Inc. Reports Alarming Changes to Spam Campaigns (September 13, 2006)
McAfee, Inc. Reports on Adware and Spyware Growth (September 11, 2006)
McAfee Selected by U.S. Air Force as Standard in Intrusion Prevention (August 15, 2006)
McAfee Cautions Microsoft Windows Customers About Critical Security Vulnerability (August 11, 2006)
McAfee, Inc. and Skype Collaborate; Skype Certifies McAfee Internet Security Suite 2006 (August 4, 2006)
McAfee, Inc. Names Dave Dickison North America Channel Executive (July 21, 2006)
McAfee Reports Security Threats Doubled in Record Time (July 6, 2006)
McAfee Identifies ’Miracle Diet’ Web Sites That Thin the Wallet, Not the Waist (June 27, 2006)
McAfee Unveils Beta Versions of Two New Consumer Security Suites (June 16, 2006)
McAfee Avert Labs Marks Reemergence in the Area of Vulnerability Discovery and Disclosure (June 12, 2006)
McAfee, Inc. Unveils New Threat Center Portal (April 10, 2006)
McAfee Launches Global Services Strategy Providing Opportunities for Partners (March 13, 2006)
McAfee Provides Protection Against New Mac Os X Exploits and Viruses (February 23, 2006)
Website based on SPIP, an Open Source program under GNU/GPL licence