At the end of the annus horribilis 2001, the state of IT security doesn't look at all encouraging. Computer viruses and DoS (denial of service) attacks are so common they barely make the news, and many security managers don't know whether they should be worrying more about anthrax or computer viruses.
Our 2001 InfoWorld Security Solutions Survey reveals how these uncertainties are affecting the state of IT security. During September, InfoWorld surveyed 500 readers involved in determining technology strategy and making technology buying decisions for their companies, asking them about their expectations and plans for IT security. Most, but not all, of the interviews were conducted after the September 11 attacks.
More than half of our respondents expressed fear, reporting that they are "very concerned" or "extremely concerned" about potential security breaches. The most anxiety was expressed over virus attacks: 73% reported a high degree of concern. This comes as no surprise when one ticks off this year's crop of celebrity viruses such as Nimda and Sircam. Defending against these pests still relies on signature-based scanning methods that can't catch a virus on day one of an outbreak, and protection from viruses is partly a matter of luck and partly a matter of the software being used.
The next two types of security breaches -- system penetration and external hacking, which are worries for 56% and 52% of respondents, respectively -- sound redundant but may not necessarily be so. Although it would be hard to perform a stunt such as website defacement without a system penetration, in the absence of obvious damage, many casual penetrations are often best viewed as "rattling doorknobs." So that's the difference: If data is damaged, it's a hack; otherwise, it's just a penetration.
More than 40% expressed concern about theft of proprietary data (47%), theft of transaction data (43%), and unauthorised insider access (42%). As with "system penetration," the "unauthorised insiders" aren't necessarily hostile; they might well have stumbled across a gap in access controls while lost in a file system.
DoS attacks and financial fraud tie on the worry meter, with 41% of respondents reporting high anxiety over these issues. Website vandalism is a significant concern for 37%, no doubt including many of those we noted as expressing concern about system penetration and external hacking. Internal hacking represents a cause for concern to 36% of our respondents. Again, it is important to note that we are distinguishing actively malicious behaviour from simple access violations by unauthorised insiders.
A little more than a third (34%) of respondents worry about equipment theft. In the case of physical break-ins, it is not always the hardware itself that's at risk. Unsecured backup media such as disks or tapes are also tempting targets, but for different reasons. Missing media could point to a potential case of industrial espionage or someone who needed a tape for their camcorder, whereas a missing laptop could either be linked to an industrial spy or a simple crackhead.
Of course, what you worry about often reflects what's happening around you, and that was certainly the case when we asked our respondents about their recent experiences. A third of our respondents (34%) have experienced an unauthorised security breach in the past 12 months. Here again, the word "unauthorised" might appear redundant, but because the best way to test procedures is to authorise a security breach, it isn't.
Viruses are apparently the biggest worry for our respondents, and for good reason: A whopping 44% indicated they had been victims within the last year. External hacking was the only other attack to score in double-digits: 16% reported they had been hit since 2000.
The rest of the security breaches suffered by companies appear minor in comparison: DoS, website vandalism, physical theft, and system penetration each hit 8% of respondents. Unauthorised insiders affected 7%, and internal hacking 5%, indicating that the threat from inside is nowhere near as dangerous as perceived. Two percent of respondents reported having been victims of fraud or theft of proprietary data within the last year, while exactly one respondent reported theft of transaction data.
Who's behind all these attacks? Whereas current and former employees were blamed for 9% and 6%, respectively, 39% of respondents indicated they have no idea at all. "Independent hackers" were fingered by almost half (46%) of our respondents, but only a handful pointed at competitors (2%), foreign governments (1%), or political organisations (2%).
We weren't surprised to see that nearly every respondent uses anti-virus software; today, ignoring the need for anti-virus software may not be criminal, but definitely qualifies as a due-diligence failure.
Neither were we surprised to see that only 10% use biometric access controls or plan to adopt them in the next 12 months. Almost half (46%) of those use fingerprint verification, with hand geometry and iris recognition far behind at 16% and 15%, respectively, and voice, signature, and facial geometry recognition bringing up the rear at 4% each. We expect companies will be adopting biometric technology at a more rapid pace in the future, as costs come down and the capabilities -- and IT's expertise -- improve.
Although outsourcing is always an option, most companies (80%) continue to use in-house resources for IT security functions. This indicates that our respondents generally choose to play their IT security cards close to the vest, no doubt due in part to reluctance to let go of responsibility for such a sensitive area. A little more than half of the respondents (53%) prefer to integrate "best-of-breed" solutions, with only 22% choosing to go with a single source. Although single-sourcing appears to offer the prospect of easier adoption of new security technologies, IT managers are more likely to choose the wiser course of picking the best tool for the job.
The results of our Security Solutions Survey speak loud and clear. Although IT security is a complex beast, IT managers and their concerns are fairly well-aligned with the reality they face. Naturally, security managers prefer to be safe rather than sorry. It's always better to be overly concerned about plugging holes than to pretend your systems are untouchable until one gets hacked and takes out the business.
PJ Connolly covers groupware, messaging, networking, operating systems, and security for the InfoWorld Test Centre.