New research from the Ponemon Institute, commissioned by Lumension, tracks endpoint risk, organizational threat strategy and resource availability, and found these areas – mobile strategies in particular – to be mushroom issues for corporate security personnel. In the 2011 survey, in contrast, the server environment, data centers and operating system vulnerabilities were cited as primary concerns.
"Once again, we found the changing security terrain is preventing the state of endpoint security from improving," said Larry Ponemon, chairman and founder at the Ponemon Institute. "With the rise of hacktivism and advanced persistent threats, along with the sheer number of malware incidents we are seeing today, IT simply cannot keep up with the bad guys. Add to this fact that end-users are furthering the complexity of the IT environment by bringing in mobile devices and downloading third-party applications – causing risk to exponentially proliferate. IT simply must take further action before the risk is beyond their control."
When it comes to mobile strategy, what a difference a year makes: in 2011, only 9% of respondents said mobile devices were a rising threat. This year, 73% rank mobile as one of the greatest risks within the IT environment.
More specifically, the bring-your-own-device (BYOD) strategy, or the rise of personal devices like laptops, smartphones and tablets being used in the workplace, keeps a full 80% of those surveyed up at night. But not enough to do much about it: only 13% said that they use stricter security standards for personal than they do for corporate-owned devices; about a third (29%) said they have no security strategy for employee-owned devices at all.
On a related note, the State of the Endpoint study also found that IT professionals view third-party applications as a major security threat. With the proliferation of mobile devices, along with the wide range of software and removable media commonly used in today's enterprise environment, IT practitioners are increasingly worried about the attack vectors these third-party tools could bring into the corporate network.
In fact, 67% of those surveyed reported they viewed third-party applications as a significant risk – second only to mobile security risk.
The third area of top concern revolves around APTs. Whereas worms and less harmful viruses were a concern in earlier reports, today's IT teams consider APTs and hacktivism a real, global threat. About 36% of those surveyed reported that they viewed advanced persistent threats as a "significant" threat to their environments, compared to 24% last year.
The BYOD phenomenon of being aware of the threat while taking little action to remedy it is true for APTs and application vulnerabilities as well. Only 12% of those surveyed this year said that current anti-virus/anti-malware technology is very effective in protecting their IT endpoints from today's malware risk, indicating a certain sense of inertia – or paralysis.
"It's frightening that since we began this survey four years ago, the threatscape has expanded significantly and yet IT's efforts in fighting malware and the tools they are using to do so remain consistently the same," said Pat Clawson, Chairman and CEO, Lumension. "Clearly, IT is concerned but ill-equipped to deal with these issues. This may be due to lack of budget or lack of confidence in the tools they have at their disposal. We need to ensure that these issues are being raised to the C-suite, so that IT can secure the tools and funds they need to deal with this ever-growing challenge."