2010 State of Enterprise Security

Global Results

Methodology

• Applied Research performed survey

• January 2010

• 2,100 worldwide enterprises

– Small (500-999 employees)

– Mid (1,000-4,999 employees)

– Large (5,000+ employees)

• Cross-industry

• CIO/CISO and IT management

2

Key findings

• Enterprise security is IT’s top concern

• Enterprises are experiencing frequent attacks

• Costs of cyber attacks are high

• Enterprise security becoming more difficult

3

Enterprise security is IT’s top concern

• 42 percent rank cyber risk as their top concern, more than natural disasters, terrorism and traditional crime.

• “Better manage business risk of IT” is second ranked goal

• 120 staff assigned to security/IT compliance

• Half forecast significant changes to enterprise security

4

Frequent attacks

• 75% experienced cyber attacks in past 12 months

• 36% say attacks were somewhat/highly effective

• 29% saw increase in attacks in past 12 months

5

Costs of cyber attacks are high

• 100% have experienced cyber losses

• 92% have seen costs as a result

• Annual cost of cyber attacks: $2.0M (USD)

6

Security becoming more difficult

• Enterprise security is understaffed

• New IT initiatives complicate matters

• Compliance is huge issue with a typical enterprise exploring 17 different standards or frameworks and using an average of 8

7

Recommendations

• Protect the infrastructure

• Protect the information

• Develop and enforce IT policies

• Manage systems

8

Protect the infrastructure

• Secure endpoints

• Protect email and Web

• Defend critical internal servers

• Backup and recover data

9

Only 44% of organizations reported using client-intrusion detection.

Protect the information

• Discover where sensitive information resides

• Monitor how data is being used

• Protect sensitive information from loss

10

77% are somewhat/extremely concerned about losing confidential or proprietary information.

Develop and enforce IT policies

• Define risk and develop IT policies

• Assess infrastructure and processes

• Report, monitor and demonstrate due care

• Remediate problems

11

50% have experienced social engineering attacks in the past 12 months, something that policies would address

Manage systems

• Implement secure operating environments

• Distribute and enforce patch levels

• Automate processes to streamline efficiency

• Monitor and report on system status

12

87% felt that keeping patches and definition files current was their most effective safeguard.