McAfee Report Exposes Contradictions in Security Perception vs. Reality
McAfee Report Exposes Contradictions in Security Perception vs.
Reality ‘State of Security’ Report Shows Organizations Recognize a
Pervasiveness and Resiliency of Cyber Criminals, Yet 79 Per Cent
Experienced a Significant Incident in Past 12 Months SANTA CLARA, Calif. - March 6, 2012 - McAfee today announced the State
of Security report, showing how IT decision makers view the challenges
of securing information assets in a highly regulated and increasingly
complex global business environment. The report also reveals
companies’ IT security priorities around processes, practices and
technology for 2012. As the corporate data environment expands,
effective information security is possible only by creating a Strategic
Security Plan (SSP), which incorporates a comprehensive threat analysis
and an in-depth layered security risk mitigation approach. The survey
also identified some of the key trends facing today’s enterprises in
the development of their SSP’s. Security Maturity
The survey respondents categorized themselves into various states of
security maturity. These categorizations help to understand the mindset
of the companies as they view enterprise information security. The terms
below are used to describe the level of security maturity of
participating organizations:
● Reactive - uses an ad hoc approach to defining security processes
and is event-driven. Nine per cent of the surveyed companies claim to be
at this stage.
● Compliant - has some policies in place, but has no real
standardization across security policies. The organization adheres to
some security standards or the minimum required. Thirty-two per cent of
the surveyed companies claim to be at this stage.
● Proactive - follows standardized policies, has centralized
governance, and has a degree of integration across some security
solutions. Forty three per cent of the surveyed companies claim to be at
this stage.
● Optimized - follows security industry best practices and maintains
strict adherence to corporate policy. The organization utilizes
automated security solutions that are highly integrated across the
enterprise. Sixteen per cent of the surveyed companies claim to be at
this stage. “Every organization needs to take a layered approach to security,
utilizing both processes and solutions designed to prevent compromise.
Complicating the challenge of managing risk and securing data is the
fact that ‘the enterprise’ now extends far beyond office walls and
perimeter firewalls,” said Jill Kyte, vice president at McAfee.
“Companies are giving network access to business partners and
contract workers, and in some cases, even to customers. Workers access
the enterprise network remotely using mobile devices, many of which are
personally owned and not controlled by the company whose network they
access. Moreover, data and applications are being moved into public and
hybrid cloud environments, where the data owners have little direct
control over security. All of this requires a business to have a
Stra
tegic Security Plan.” The key findings included:
● Organizations are confident about identifying the most critical
threats to their environments and knowing where their critical data
resides. However, most companies are not confident about quantifying the
potential financial impact of a breach, should one occur.
● Organizational awareness and protection against information
security risks is very important. However, one-third of the
“Optimized” companies are uncertain about their IT security
posture in terms of awareness and protection. Despite having formal
strategic plans, 34 per cent of the companies believe they are not
adequately protected against information security risks that could
impact their business.
● A majority of the respondents indicated that as they develop SSPs,
they include consideration of potential threats and the associated risk
to business, and financial analysis. Yet, four out of five companies
experienced a significant security incident in the past 12 months.
● Almost a third of organizations surveyed have either not purchased
or not yet implemented many of the next-generation security technologies
that are designed to address current-day threats. Yet more than 80 per
cent of the organizations identify malware, spyware and viruses as major
security threats.
● Two out of every five organizations have either an informal or ad
hoc plan or no SSP in place. The size of the organization matters when
it comes to having a formal SSP. Six of every 10 large enterprises have
a formal SSP, two out of every three mid-size enterprises has a formal
SSP, while this ratio dips to only one in two for small enterprises.
● Organizations in North America and Germany are more likely to have
a formal SSP than those organizations in other regions of the world.
This may be attributed to the regulatory environments in those
countries.
● Top priorities for 2012 include implementing stronger controls to
protect sensitive data and ensuring business continuity. The lowest
priority is to reduce capital and operating expenditures for security
infrastructure, indicating that organizations are willing to spend on
the right kind of security solutions. Conclusions
While organizations are working on their SSPs and are doing their best
toward protecting business systems and critical data, there is much room
for improvement.
● Step up to a higher security maturity level. Only 16 per cent of
the survey respondents classify their organizations as being at the
“Optimized” level. Worse, however, is the fact that nine per cent
of the organizations are “Reactive” in their approach to IT
security.
● Executive involvement is crucial. While IT and security personnel
may take the lead in developing the plan, it’s important to have
insight from those who best understand the business systems and the data
they use. Moreover, executive involvement is critical to set the tone
for the importance of security throughout the organization.
● Test early, test often, and make adjustments as needed. What good
is a plan if it is developed and put on a shelf, or if it is never
tested? Unfortunately we learned that 29 per cent of “Compliant”
companies never test how they would respond to an incident. What’s
more, 79 per cent of the surveyed companies experienced security
incidents in the past year - indicating there are gaps in the plans that
must be addressed.
● Use budget allocations wisely. Though every manager would like to
have a bigger budget to be able to apply more safeguards, the
“Optimized” companies have found ways to reach the highest level
of performance with the same level of funding (percentage-wise) as the
companies who are less prudent with their budgets.
● Use the right tools for the current threats. The survey shows that
45 per cent of the companies haven’t deployed next-generation
firewalls. Mobile security is another area that should not be ignored,
yet 25 per cent of the organizations have not purchased any tools
for
this purpose.
● Focus on protecting the lifeblood of the company-the sensitive
corporate data. The top priorities for 2012 include implementing
stronger controls to protect sensitive data and ensuring business
continuity. Additional high priority activities are all meant to improve
each organization’s overall security posture. About the Survey
The survey was conducted by Evaluserve and included responses from 495
organizations. Countries included in the survey were United States,
Canada, United Kingdom, Germany, France, Brazil, Australia, Singapore,
and New Zealand and range in size from a minimum of 1,000 employees to
more than 50,000 employees. The report is available at:
www.mcafee.com/ssp. About McAfee
McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ:INTC),
is the world's largest dedicated security technology company. McAfee
delivers proactive and proven solutions and services that help secure
systems, networks, and mobile devices around the world, allowing users
to safely connect to the Internet, browse and shop the Web more
securely. Backed by its unrivaled Global Threat Intelligence, McAfee
creates innovative products that empower home users, businesses, the
public sector and service providers by enabling them to prove compliance
with regulations, protect data, prevent disruptions, identify
vulnerabilities, and continuously monitor and improve their security.
McAfee is relentlessly focused on constantly finding new ways to keep
our customers safe. http://www.mcafee.com. McAfee Canada is headquartered in Markham, Ontario, with regional
offices across Canada. The company's Consumer Software Research and
Development facility in based in Waterloo, Ontario. About Evalueserve
Evalueserve is a global specialist in knowledge processes with a team
of more than 2,600 professionals worldwide. As a trusted partner,
Evalueserve analyzes, improves and executes knowledge-intensive
processes and leverages its proprietary technology to increase
efficiency and effectiveness. We have dedicated on-site teams and
scalable global knowledge centers in Chile, China, India and Romania,
which provide multi-time zone and multi-lingual services. Evalueserve’s knowledge solutions include customized research and
analytics services for leading-edge companies worldwide. By partnering
with us, clients benefit from higher productivity, improved quality, and
freed-up management time. We provide our clients with better access to
knowledge and information across all parts of their organization,
thereby adding to their capabilities. -30-
Pervasiveness and Resiliency of Cyber Criminals, Yet 79 Per Cent
Experienced a Significant Incident in Past 12 Months SANTA CLARA, Calif. - March 6, 2012 - McAfee today announced the State
of Security report, showing how IT decision makers view the challenges
of securing information assets in a highly regulated and increasingly
complex global business environment. The report also reveals
companies’ IT security priorities around processes, practices and
technology for 2012. As the corporate data environment expands,
effective information security is possible only by creating a Strategic
Security Plan (SSP), which incorporates a comprehensive threat analysis
and an in-depth layered security risk mitigation approach. The survey
also identified some of the key trends facing today’s enterprises in
the development of their SSP’s. Security Maturity
The survey respondents categorized themselves into various states of
security maturity. These categorizations help to understand the mindset
of the companies as they view enterprise information security. The terms
below are used to describe the level of security maturity of
participating organizations:
● Reactive - uses an ad hoc approach to defining security processes
and is event-driven. Nine per cent of the surveyed companies claim to be
at this stage.
● Compliant - has some policies in place, but has no real
standardization across security policies. The organization adheres to
some security standards or the minimum required. Thirty-two per cent of
the surveyed companies claim to be at this stage.
● Proactive - follows standardized policies, has centralized
governance, and has a degree of integration across some security
solutions. Forty three per cent of the surveyed companies claim to be at
this stage.
● Optimized - follows security industry best practices and maintains
strict adherence to corporate policy. The organization utilizes
automated security solutions that are highly integrated across the
enterprise. Sixteen per cent of the surveyed companies claim to be at
this stage. “Every organization needs to take a layered approach to security,
utilizing both processes and solutions designed to prevent compromise.
Complicating the challenge of managing risk and securing data is the
fact that ‘the enterprise’ now extends far beyond office walls and
perimeter firewalls,” said Jill Kyte, vice president at McAfee.
“Companies are giving network access to business partners and
contract workers, and in some cases, even to customers. Workers access
the enterprise network remotely using mobile devices, many of which are
personally owned and not controlled by the company whose network they
access. Moreover, data and applications are being moved into public and
hybrid cloud environments, where the data owners have little direct
control over security. All of this requires a business to have a
Stra
tegic Security Plan.” The key findings included:
● Organizations are confident about identifying the most critical
threats to their environments and knowing where their critical data
resides. However, most companies are not confident about quantifying the
potential financial impact of a breach, should one occur.
● Organizational awareness and protection against information
security risks is very important. However, one-third of the
“Optimized” companies are uncertain about their IT security
posture in terms of awareness and protection. Despite having formal
strategic plans, 34 per cent of the companies believe they are not
adequately protected against information security risks that could
impact their business.
● A majority of the respondents indicated that as they develop SSPs,
they include consideration of potential threats and the associated risk
to business, and financial analysis. Yet, four out of five companies
experienced a significant security incident in the past 12 months.
● Almost a third of organizations surveyed have either not purchased
or not yet implemented many of the next-generation security technologies
that are designed to address current-day threats. Yet more than 80 per
cent of the organizations identify malware, spyware and viruses as major
security threats.
● Two out of every five organizations have either an informal or ad
hoc plan or no SSP in place. The size of the organization matters when
it comes to having a formal SSP. Six of every 10 large enterprises have
a formal SSP, two out of every three mid-size enterprises has a formal
SSP, while this ratio dips to only one in two for small enterprises.
● Organizations in North America and Germany are more likely to have
a formal SSP than those organizations in other regions of the world.
This may be attributed to the regulatory environments in those
countries.
● Top priorities for 2012 include implementing stronger controls to
protect sensitive data and ensuring business continuity. The lowest
priority is to reduce capital and operating expenditures for security
infrastructure, indicating that organizations are willing to spend on
the right kind of security solutions. Conclusions
While organizations are working on their SSPs and are doing their best
toward protecting business systems and critical data, there is much room
for improvement.
● Step up to a higher security maturity level. Only 16 per cent of
the survey respondents classify their organizations as being at the
“Optimized” level. Worse, however, is the fact that nine per cent
of the organizations are “Reactive” in their approach to IT
security.
● Executive involvement is crucial. While IT and security personnel
may take the lead in developing the plan, it’s important to have
insight from those who best understand the business systems and the data
they use. Moreover, executive involvement is critical to set the tone
for the importance of security throughout the organization.
● Test early, test often, and make adjustments as needed. What good
is a plan if it is developed and put on a shelf, or if it is never
tested? Unfortunately we learned that 29 per cent of “Compliant”
companies never test how they would respond to an incident. What’s
more, 79 per cent of the surveyed companies experienced security
incidents in the past year - indicating there are gaps in the plans that
must be addressed.
● Use budget allocations wisely. Though every manager would like to
have a bigger budget to be able to apply more safeguards, the
“Optimized” companies have found ways to reach the highest level
of performance with the same level of funding (percentage-wise) as the
companies who are less prudent with their budgets.
● Use the right tools for the current threats. The survey shows that
45 per cent of the companies haven’t deployed next-generation
firewalls. Mobile security is another area that should not be ignored,
yet 25 per cent of the organizations have not purchased any tools
for
this purpose.
● Focus on protecting the lifeblood of the company-the sensitive
corporate data. The top priorities for 2012 include implementing
stronger controls to protect sensitive data and ensuring business
continuity. Additional high priority activities are all meant to improve
each organization’s overall security posture. About the Survey
The survey was conducted by Evaluserve and included responses from 495
organizations. Countries included in the survey were United States,
Canada, United Kingdom, Germany, France, Brazil, Australia, Singapore,
and New Zealand and range in size from a minimum of 1,000 employees to
more than 50,000 employees. The report is available at:
www.mcafee.com/ssp. About McAfee
McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ:INTC),
is the world's largest dedicated security technology company. McAfee
delivers proactive and proven solutions and services that help secure
systems, networks, and mobile devices around the world, allowing users
to safely connect to the Internet, browse and shop the Web more
securely. Backed by its unrivaled Global Threat Intelligence, McAfee
creates innovative products that empower home users, businesses, the
public sector and service providers by enabling them to prove compliance
with regulations, protect data, prevent disruptions, identify
vulnerabilities, and continuously monitor and improve their security.
McAfee is relentlessly focused on constantly finding new ways to keep
our customers safe. http://www.mcafee.com. McAfee Canada is headquartered in Markham, Ontario, with regional
offices across Canada. The company's Consumer Software Research and
Development facility in based in Waterloo, Ontario. About Evalueserve
Evalueserve is a global specialist in knowledge processes with a team
of more than 2,600 professionals worldwide. As a trusted partner,
Evalueserve analyzes, improves and executes knowledge-intensive
processes and leverages its proprietary technology to increase
efficiency and effectiveness. We have dedicated on-site teams and
scalable global knowledge centers in Chile, China, India and Romania,
which provide multi-time zone and multi-lingual services. Evalueserve’s knowledge solutions include customized research and
analytics services for leading-edge companies worldwide. By partnering
with us, clients benefit from higher productivity, improved quality, and
freed-up management time. We provide our clients with better access to
knowledge and information across all parts of their organization,
thereby adding to their capabilities. -30-