Third Annual Bit9 Endpoint Security Survey Puts Spotlight on APT Attacks; Reveals Companies Are Not Doing Enough to Protect Endpoints and Servers
August 30, 2011 - WALTHAM, Mass. - In a year that IT security experts have labeled the “Year of the Hack,” Bit9’s Third Annual Endpoint Survey of 765 IT executives revealed that Advanced Persistent Threat (APT) attacks -- like the one that infiltrated RSA, a division of EMC, and defense contractors this year – are of most concern to IT and security professionals.
However, despite the concerns about APT attacks, the survey also showed that executives are not doing enough to protect against unauthorized software and malware from infecting their desktops, laptops and servers.
Sixty percent of the respondents said they are concerned about APT attacks, more than double the next closest response, showing the growing anxiety among IT executives around modern threats. The second biggest hacking concern among IT executives, at 28 percent, is having one of their own employees steal company data and posts it online, much like what happened at the Department of Defense (DoD) with WikiLeaks. In third place, at 26 percent, are concerns around a vendor partner being hacked, much like what happened to Epsilon earlier this year. And in fourth place, at 25 percent, are concerns over a cloud application breach, much like what happened with Sony.
The Third Annual Endpoint Survey from Bit9 Inc., the market leader in adaptive application whitelisting, provides insight from IT and security professionals in technology/software, government and defense, financial services/banking, and retail. The survey is designed to gauge endpoint security issues, employee behaviors and topline concerns that enterprise professionals grapple with every day.
While worry remains high around cyber security breaches, the survey also showed a surprising 60 percent of the IT executives use either a written policy based on an “honor system,” or have an open software environment without a security policy in place. However, risky behavior doesn’t stop there. A narrow majority of companies surveyed (51 percent) said they allow their employees to download and install software.
The companies that allow employees to download software often find digital music sites like iTunes, social media sites and instant messaging software on it endpoints. Additionally, almost 80 percent of companies allow employees to use removable storage devices, exposing companies to the loss of sensitive data and intellectual property while increasing exposure to malware.
“Breaches that occurred in the first half of 2011 have changed the rules of security by exposing high profile companies like RSA, Sony, Lockheed Martin and numerous others,” said Tom Murphy, chief strategy officer, Bit9. “Our data finds that companies are increasingly worried about advanced persistent threat attacks, but they continue to engage in risky behaviors. Companies are gambling on a losing game by failing to put security policies in place. It’s not a case of if a breach will occur, but when and how severe.”
Additional findings from the survey include:
Companies continue to allow employees to engage in risky behaviors: IT executives have become even more hands-off in their software usage policy over the past three years, with 51 percent of respondents admitting that users have full rights to download and install applications. These relaxed download policies have increased 12 percent from 2010 when 39 said they did not have a policy that prohibits employee downloads. That figure increased by 22 percent from 2009 figures. Additionally, nearly 30 percent of IT executives allow the use of personal mobile devices at work that connects to the company Intranet.
Endpoint security failures can take down networks: While the majority said they have not experience network outages due to unauthorized software or malware, almost 20 percent of IT executives admit that unusual software found on the endpoint has resulted in crashing the company’s networks. These crashes meant lost productivity. Of those who experienced downtime, 30 percent said the crashes took down their network for 3-6 hours and 89 percent said the crashes lasted two hours or less.
Successful breach of company’s inbox stirs emotions: More than a quarter of IT executives would be mildly embarrassed by a breach exposing their company’s inbox, while more than half admitted to being mortified. Most noteworthy is that seven percent claim that their company would be out of business if such a breach would occur.
For more information on the survey, view the full results, please visit bit9.com/Bit9-Endpoint-Security-Survey-2011.