The research from Kaspersky Lab – and which took in responses from 1,300 senior IT security professionals in 11 countries around the world – found that 63% believe that non-IT-related upper management should show more interest in the field of IT security.
David Emm, a senior security researcher with the Russian-headquartered IT security vendor, said that corporate security is only effective if senior management is behind the IT department.
“The key to engaging senior executives who don’t have direct responsibility for security is for IT managers to be able to demonstrate the benefit of investing in security. This emphasises the need to measure security across the enterprise, which means being able to highlight security incidents that have occurred in the past, their potential impact and the steps needed to mitigate the threat”, he said.
This is, he added, the only way to demonstrate the return on investment of current security outlays, as well as providing a compelling case for IT security spending to plug any gaps that may exist in the corporate defenses.
The study also found that 30% of companies have not yet fully implemented even basic malware protection.
In practice, Kaspersky says that this means that while firms often use virus scanners, either important modules – such as spyware – are missing, or not all computers are equipped with malware protection. Many companies, for example, says the firm, protect their Windows desktops while at the same time neglecting the Macs in their graphic design departments and employee smartphones.
Managers, says the company, are being urged to demonstrate greater awareness of IT security and to set clear rules.
Emm argues that, in many businesses, IT security is being neglected. New devices, software and services are introduced, and protection is added an afterthought.
This is, he says, not the best way to implement an effective security policy. The correct procedure is put a strategy in place and then apply the strategy to any changes made to the security infrastructure.
“Say, for example, that a CEO suddenly develops a passion for tablet computers and wants to use them as additional corporate tools. In this case, the company’s security framework must be expanded to enable employees to work on these mobile devices in accordance with the corporation’s security policies”, he said.
“All proposed changes to company IT equipment should be explored beforehand and implemented only when this can be done securely. This, at any rate, is the theory. In practice, however, things look very different. As is so often the case, problems can arise because of tight budgets and staff shortages”, he added.
The problem, Kaspersky's senior security manager went on to explain, is that companies of all sizes can fall victim to cybercriminals, since small firms often use the same tools as large ones: Windows on desktops and servers, and Internet Explorer or Firefox as web browsers.
They may also, he observes, use Microsoft Office, or comparable software suites, as well as other types of business software – such as software for storing customer data, for example.
“Realistic threats posed to companies include the theft of customer or financial data, the manipulation of money transfers, virus infections on workstations and servers, the interception of network traffic, and the storing of illegal content on company servers” he said.
“Security risks can, however, be minimised by using an appropriate strategy. IT security needs to be seen as not just an occasional consideration. Instead, it must be taken into account in every aspect of corporate operations”, he added.