McAfee Report Exposes Contradictions in Security Perception vs. Reality

McAfee Report Exposes Contradictions in Security Perception vs.
Reality

`State of Security´ Report Shows Organizations Recognize a
Pervasiveness and Resiliency of Cyber Criminals, Yet 79 Per Cent
Experienced a Significant Incident in Past 12 Months

SANTA CLARA, Calif. - March 6, 2012 - McAfee today announced the State
of Security report, showing how IT decision makers view the challenges
of securing information assets in a highly regulated and increasingly
complex global business environment.  The report also reveals
companies´ IT security priorities around processes, practices and
technology for 2012. As the corporate data environment expands,
effective information security is possible only by creating a
Strategic Security Plan (SSP), which incorporates a comprehensive
threat analysis and an in-depth layered security risk mitigation
approach. The survey also identified some of the key trends facing
today´s enterprises in the development of their SSP´s.

Security Maturity
The survey respondents categorized themselves into various states of
security maturity. These categorizations help to understand the
mindset of the companies as they view enterprise information security.
The terms below are used to describe the level of security maturity of
participating organizations:  Reactive - uses an ad hoc approach to
defining security processes and is event-driven. Nine per cent of the
surveyed companies claim to be at this stage.  Compliant - has some
policies in place, but has no real standardization across security
policies. The organization adheres to some security standards or the
minimum required. Thirty-two per cent of the surveyed companies claim
to be at this stage.  Proactive - follows standardized policies,
has centralized governance, and has a degree of integration across
some security solutions. Forty three per cent of the surveyed
companies claim to be at this stage.  Optimized - follows security
industry best practices and maintains strict adherence to corporate
policy. The organization utilizes automated security solutions that
are highly integrated across the enterprise. Sixteen per cent of the
surveyed companies claim to be at this stage.

"Every organization needs to take a layered approach to security,
utilizing both processes and solutions designed to prevent compromise.
Complicating the challenge of managing risk and securing data is the
fact that `the enterprise´ now extends far beyond office walls and
perimeter firewalls," said Jill Kyte, vice president at McAfee.
"Companies are giving network access to business partners and
contract workers, and in some cases, even to customers. Workers access
the enterprise network remotely using mobile devices, many of which
are personally owned and not controlled by the company whose network
they access. Moreover, data and applications are being moved into
public and hybrid cloud environments, where the data owners have
little direct control over security. All of this requires a business
to have a Stra tegic Security Plan."

The key findings included:
 Organizations are confident about identifying the most critical
threats to their environments and knowing where their critical data
resides. However, most companies are not confident about quantifying
the potential financial impact of a breach, should one occur.
Organizational awareness and protection against information security
risks is very important. However, one-third of the "Optimized"
companies are uncertain about their IT security posture in terms of
awareness and protection. Despite having formal strategic plans, 34
per cent of the companies believe they are not adequately protected
against information security risks that could impact their business.
 A majority of the respondents indicated that as they develop SSPs,
they include consideration of potential threats and the associated
risk to business, and financial analysis.  Yet, four out of five
companies experienced a significant security incident in the past 12
months.  Almost a third of organizations surveyed have either not
purchased or not yet implemented many of the next-generation security
technologies that are designed to address current-day threats.  Yet
more than 80 per cent of the organizations identify malware, spyware
and viruses as major security threats.  Two out of every five
organizations have either an informal or ad hoc plan or no SSP in
place. The size of the organization matters when it comes to having a
formal SSP. Six of every 10 large enterprises have a formal SSP, two
out of every three mid-size enterprises has a formal SSP, while this
ratio dips to only one in two for small enterprises.  Organizations
in North America and Germany are more likely to have a formal SSP than
those organizations in other regions of the world. This may be
attributed to the regulatory environments in those countries.  Top
priorities for 2012 include implementing stronger controls to protect
sensitive data and ensuring business continuity. The lowest priority
is to reduce capital and operating expenditures for security
infrastructure, indicating that organizations are willing to spend on
the right kind of security solutions.

Conclusions
While organizations are working on their SSPs and are doing their best
toward protecting business systems and critical data, there is much
room for improvement.  Step up to a higher security maturity level.
Only 16 per cent of the survey respondents classify their
organizations as being at the "Optimized" level. Worse, however,
is the fact that nine per cent of the organizations are "Reactive"
in their approach to IT security.  Executive involvement is
crucial. While IT and security personnel may take the lead in
developing the plan, it´s important to have insight from those who
best understand the business systems and the data they use. Moreover,
executive involvement is critical to set the tone for the importance
of security throughout the organization.  Test early, test often,
and make adjustments as needed. What good is a plan if it is developed
and put on a shelf, or if it is never tested? Unfortunately we learned
that 29 per cent of "Compliant" companies never test how they
would respond to an incident. What´s more, 79 per cent of the
surveyed companies experienced security incidents in the past year -
indicating there are gaps in the plans that must be addressed.  Use
budget allocations wisely. Though every manager would like to have a
bigger budget to be able to apply more safeguards, the "Optimized"
companies have found ways to reach the highest level of performance
with the same level of funding (percentage-wise) as the companies who
are less prudent with their budgets.  Use the right tools for the
current threats. The survey shows that 45 per cent of the companies
haven´t deployed next-generation firewalls. Mobile security is
another area that should not be ignored, yet 25 per cent of the
organizations have not purchased any tools for this purpose.  Focus
on protecting the lifeblood of the company-the sensitive corporate
data. The top priorities for 2012 include implementing stronger
controls to protect sensitive data and ensuring business continuity.
Additional high priority activities are all meant to improve each
organization´s overall security posture.

About the Survey
The survey was conducted by Evaluserve and included responses from 495
organizations. Countries included in the survey were United States,
Canada, United Kingdom, Germany, France, Brazil, Australia, Singapore,
and New Zealand and range in size from a minimum of 1,000 employees to
more than 50,000 employees. The report is available at:
www.mcafee.com/ssp.

About McAfee
McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ:INTC),
is the world's largest dedicated security technology company. McAfee
delivers proactive and proven solutions and services that help secure
systems, networks, and mobile devices around the world, allowing users
to safely connect to the Internet, browse and shop the Web more
securely. Backed by its unrivaled Global Threat Intelligence, McAfee
creates innovative products that empower home users, businesses, the
public sector and service providers by enabling them to prove
compliance with regulations, protect data, prevent disruptions,
identify vulnerabilities, and continuously monitor and improve their
security. McAfee is relentlessly focused on constantly finding new
ways to keep our customers safe. http://www.mcafee.com.

McAfee Canada is headquartered in Markham, Ontario, with regional
offices across Canada. The company's Consumer Software Research and
Development facility in based in Waterloo, Ontario.

About Evalueserve
Evalueserve is a global specialist in knowledge processes with a team
of more than 2,600 professionals worldwide. As a trusted partner,
Evalueserve analyzes, improves and executes knowledge-intensive
processes and leverages its proprietary technology to increase
efficiency and effectiveness. We have dedicated on-site teams and
scalable global knowledge centers in Chile, China, India and Romania,
which provide multi-time zone and multi-lingual services.

Evalueserve´s knowledge solutions include customized research and
analytics services for leading-edge companies worldwide. By partnering
with us, clients benefit from higher productivity, improved quality,
and freed-up management time. We provide our clients with better
access to knowledge and information across all parts of their
organization, thereby adding to their capabilities.

-30-

Note: McAfee, the McAfee logo are registered trademarks or trademarks
of McAfee, Inc., or its subsidiaries in the United States and other
countries. Other names and brands may be claimed as the property of
others. ©2012 McAfee, Inc. All rights reserved.


For more information please contact:
Maxine Cheung/Dianna Lai
StrategicAmpersand Inc. (for McAfee Canada)
Maxine@stratamp.com/Dianna@stratamp.com
McAfeePR@stratamp.com
 (416) 961-5595