In addition, the survey found that close to 17% of organizations had no information security training for their employees, and close to half only had one to two sessions per year. For the 2011 report, Digital Defense surveyed 127 IT professionals from organizations of various sizes and a broad range of industries, as well as vulnerability data gathered from its cloud-based vulnerability scanning product.
“Organizations are still not grasping that they have to staff their information security function just like they would anything else. It’s not just simply another part of IT. It is really a functional area that needs to be defined by an organization and properly staffed as well”, said Tom DeSot, Digital Defense’s chief information officer.
DeSot related that one large organization that had thousands of employees only had two people dedicated to information security.
“The feedback we get frequently is that only one person is responsible for hundreds or potentially even thousands of computers, security for those computers, and making sure there are no breaches on the network. A key take away is that organizations really need to understand that in 2011 security is a cost of doing business”, DeSot told Infosecurity.
A full 81% of respondents said their organization used penetration testing to determine the risk of exploitation based on their IT network vulnerability.
“In 2011, we saw an uptick in the number of organizations using an array of information security services, rather than just depending on only vulnerability scanning or only penetration testing; they are using more of a broad-based approach”, DeSot said.
The survey covered a range of information security issues. For example, 86% of participants viewed browser-based attacks as either an important or very important information security concern. Around 35% viewed cloud computing threats as an important or very important security concern.
Data loss is also a high level issue for IT professionals. According to the survey, close to 90% of participants rated data loss as an important or very important security concern. Disaster recovery/business continuity threats were also rated highly, with over 90% rating those as important or very important.
Digital Defense offers the Insight report tailored to a particular organization. It provids the client a comparison of information security issues with peers as well as with all participants in the survey, explained DeSot. “It gives our clients an indication of the types of vulnerabilities that they are experiencing versus what others are experiencing in their vertical and other companies regardless of their vertical”, he added.