New ZDNet Security Survey: steady progress, wireless worries

The second annual ZDNet Digital Defense Test study asked more than 800 network technologists, IT managers and executives from around the country a series of questions to gauge how prepared U.S. businesses are to thwart network security threats from insiders, outsiders and natural disasters. To better understand shifts or trends in enterprise security practices, we looked at the results against the first Digital Defense Test survey conducted in 2002.

Businesses are clearly edging toward more security-63% feel that their company is less vulnerable to internal security threats than one year ago compared to 60% in 2002, and only 5% consider their company more vulnerable than 12 months ago (unchanged versus 2002).

In addition, a larger majority of companies believe they are better prepared against external threats compared to last year, and enterprises are paying more attention to corporate espionage.

There's also a growing interest in wireless networks, but many businesses still have the jitters about wireless security. The new survey shows nearly half of all companies believe wireless is not secure enough to deploy. Yet, another one-third of those surveyed are implementing wireless networks despite security concerns.

When asked to describe what the National Strategy to Secure Cyberspace < http://www.whitehouse.gov/pcipb/> has done to improve security in the past year, more than half of the respondents said it was ineffective.

Here are the detailed findings for 2003. In keeping with last year's study, we sampled randomly across CNET Network's membership, with 1/3 of the sample consisting of network technologists, 1/3 IT managers and directors, and 1/3 IT executives from small to large organizations in the United States.

Internal threats
In the first section of the study, respondents were asked questions pertaining to the manner in which their organization protects its business and technical operations from attack or exploitation from inside the enterprise. Here are the highlights of the results:

• Up from last year, slightly more than half of respondents (51%) report that their organization already has a policy in place to protect networks and systems from internal threats (47% in 2002); while somewhat fewer are currently developing such policies (26% vs. 31% in 2002). Similar to last year, 16% are evaluating the need and 6% don't see a need for such policies.
• Differing by only 1 or 2 percentage points versus last year's data, this year 46% of respondent organizations monitor internal security continuously, while 27% monitor daily. The remaining 27% monitor less frequently than daily (of this, 4% don't monitor at all).
• One area is unchanged from last year-1/3 of the time, the most senior person to receive regular monitoring or status reports on internal security is an IT executive or senior IT manager (e.g., CIO, CTO, or VP), and about 25% of the time the report is received by executive or senior business management
• Looking back one year, most organizations report they had few dedicated resources for ensuring security from internal threats: 40% had one employee who spent only part of their work day on this issue (down from 43% in 2002); 25% reported having 2 or more full-time employees focused on the issue of security from internal threats (up from 21% in 2002). Nine percent spent no resources on internal security (somewhat less than the 11% in 2002).
• For many organizations, nothing has changed in the last 12 months-31 percent say they have not changed the level of resources dedicated to security from internal threats; however, 26% of respondents report their company has increase resources by over 25% and in some cases over 50%. Only 3% report decreased resources. These findings are entirely consistent with the 2002 data.
• Roughly half of respondents believe that most companies are less than ideally prepared to deal with security breaches from inside the enterprise-51% rate most companies preparedness at four or less on a 10-point scale, where 10 is most prepared (somewhat improved from last year when 55% rated other companies a four or less).
• In contrast, more respondents consider their own organizations well-prepared to deal with internal threats than last year-62% rate the preparedness of their company at 6 or higher on the same 10-point scale compared to the 55% who rated their company at 6 or higher in the 2002 study.
• The movement is toward more security-63% feel that their company is less vulnerable to internal security threats than one year ago (slightly higher than the 60% in 2002). Somewhat fewer see their company's vulnerability as unchanged since last year (29% versus 35% in 2002), and a mere 5% consider their company more vulnerable than 12 months ago (unchanged versus 2002).
• It seems that careless employees are more likely to be viewed as an inside threat than last year (48% versus 43% in 2002), and fewer respondents felt disgruntled employees were the greatest inside threat (31% versus 38% last year); despite events of the last few months, the same percentage of respondents thought the greatest internal threats were from dishonest behavior of staff or executives (14% in 2003 and in 2002).
• Similar to last year's data, the most common security safeguard in place in respondent organizations appears to be user logon with expiration interval (69%), followed by 37% who report user logon with expiration intervals. Twenty-three percent report the use of smart cards. There is a sizeable change in the percentage of organizations using more advanced technologies in 2003-in aggregate, 7% of those surveyed use fingerprint, voice print, iris scan, or handprint (compared to 3% last year).

External threats
In the second section of the study, respondents were asked to characterize the ways in which their organization protects its business and technical operations from unauthorized access from outside the enterprise. The key findings are:

• Similar to the responses for "inside threats," 51% of respondent organizations have policies in place to protect against external threats, and 25% are currently developing policies. Another 15% are evaluating the need for these policies, and 7% don't see a need for this type of policy. These results are essentially the same as in 2002.
• In general, there appears to be more monitoring for external threats and the monitoring occurs more frequently-51% monitor for external threats continuously (vs. 47% last year), while 27% monitor at least daily (vs. 29% in 2002). Twenty percent monitor less frequently than daily and 3% don't monitor at all (compared to 6% last year).
• With regard to routine reports on external threats, 1/3 of the time an IT executive or senior IT manager receives the report, while 25% of the time it is received by a business executive or senior manager. These results are similar to the 2002 data.
• Reviewing their staffing levels of last year, 39% of organizations had one employee spending part of their day on external security issues, and 24% had 2 or more FTEs. Eight percent spent no resources on external security. These findings are not substantially different from than the 2002 results.
• As in 2002, about 30% of respondent organizations are spending the same level of resources as one year ago; one-fourth are spending over 25% more on resources for external security. Only 2% report spending less than 12 months ago.
• There is little movement in respondents' ratings of other companies' preparedness against external threats compared to last year-slightly more than 50% rated most companies' preparedness a 6 or higher on a 10-point scale. Twenty-eight percent rated most companies as less than well prepared (a rating of 4 or less).
• However, when rating their own companies, this year more respondents had favorable opinions-75% deemed their company well-prepared against external threats (a 6 or higher rating) compared to 70% in 2002, and fewer rated their companies at a four or lower (13% versus 20% in 2002).
• More respondents viewed viruses and worms as the greatest external threat to their operations in 2003 than in 2002 (65% versus 61% in 2002). Fewer thought hackers were the greatest external threat (18% of responses compared to 22% last year). Very few viewed attacks by cracker, cyber-terrorists or professional thieves as a major threat (each receiving 6% or fewer responses, similar to 2002).

Corporate Espionage
In the third section, we queried respondents about how their organization protects its trade secrets and proprietary business data (for example, customer data, R&D information, financial data, etc.). Some of the highlights of this section are:

• This year, more attention is being paid to protecting the enterprise from corporate espionage. Nearly 70% of respondents report their company has a policy in place or are developing one (53% already have one and 16% are currently developing one, compared to 45% and 20% in 2002, respectively). While 13% are evaluating the need, similar to the other threat sections, the number who see no need for this type of policy is much larger than the number who see no need for internal and external security policies-17% of the 2003 respondents see no need for a corporate espionage policy compared to 6-7% of respondents who see no need for policies governing internal and external threats.
• Consistent with the apparent heightened attention to corporate information security, almost 40% of respondent organizations monitor the security of corporate information and data on a continuous basis, compared to 32% last year. Twenty percent monitor daily and 27% monitor less frequently than daily. Thirteen percent don't monitor at all.
• In 2003, a business executive or senior business manager is just as likely to receive routine reports on the security status of corporate data assets as is an IT executive or senior IT management (29% of responses, respectively). This contrasts with 2002 data when only 20% of respondents indicated a business executive or manager received the routine reports.
• Reviewing the last year, 34% of organizations only had one employee who spent part of their day focused on protecting corporate information assets. And while 22% have 2 or more FTEs assigned to this important task, another 19% devote no resources at all to this security (down from the 25% who devoted no resources to corporate information security in 2002).
• On par with 2002, slightly more than 30% have increased resources dedicated to protecting corporate information by up to 25%; and 17% have increased it by more than 25% (in some cases by more than 50%). Thirty-six percent report no change in resources, and less than 3% have decreased resources.
• There is a lot more Spam challenging enterprise integrity in 2003-55% of respondents report a continuous flow of Spam (compared to 41% in 2002). Threats from emails with inappropriate content, occurring continuously and daily with equal frequency, were reported by roughly 1/3 of respondents in 2002 and 2003. Moving up in seriousness this past year is the threat from email viruses or worms, which occurred continuously or daily in 1/3 of respondent organizations (collectively), compared to 25% last year. Other threats occurred less frequently than quarterly, including Website hacking, network attacks, database intrusions, data or information theft, software theft and theft of telecom or network services (each reported by 30-40% of respondents, similar to 2002)

General Security Issues
In the final section of the survey, we asked respondents their opinions about some general cyber-security issues:

• There is little change in the opinions about industry-preparedness in 2003 compared to 2002-only 14% of survey participants feel that their industry is well prepared to deal with major or sustained disruptions. Most considered their industry only somewhat prepared (40% of responses). A similar number viewed their industry as poorly to not at all prepared (44%)
• There was no great increase or decrease in the number of respondents who felt that a major or sustained disruption, regardless of the origin, would merely disrupt operations but not threaten the company's existence (47% in 2003 versus 45% in 2002). The same is true for the 43% of respondents who felt their company would bounce back quickly from such a disruption. Only 9% believed a major disruption would be catastrophic for their business.
• When reacting to the statement "Defending our information systems is a job that is best left to individual users and enterprises" the responses generally fell into three categories:
  • Agree-46% of respondents agreed with this statement, somewhat less than last year's 50%
  • Agree somewhat-29% agreed with the statement to some extent, slightly more than the 25% last year
  • Disagree-16% disagreed entirely with the statement (similar to 2002)
  • 8% offered no opinion, comment or response (10% in 2002)
• Respondents were asked to describe what the US "national strategy" has done in the defense of cyberspace. Their comments were classified in one of 6 ways:
  • Very little-28% of respondents believe the government's strategy has done very little to help defend cyberspace
  • Nothing-23% contend the government's strategy has done absolutely nothing to aid the defense of cyberspace
  • Increased awareness-12% sincerely believe the national strategy has, at a minimum, increased awareness among businesses and the public
  • A good beginning-11% think the strategy is a good beginning and that the government should do more to help defend cyberspace (provide more laws, resources, better enforcement of regulations, etc.)
  • 16% of respondents offered unique comments that were too few to categorize, for example, suggesting that the government hasn't done enough, or that the defense of cyberspace isn't a government matter, or the issues are too political, etc.
  • 10% had no opinion or comment or were not aware of the national strategy
• A new question was posed this year to explore organizational views on wireless networks. Nearly half of respondents report their company doesn't believe wireless networks are secure enough to implement at this time. One-third have implemented or are implementing them despite concerns about security, and 6% believe they are as secure as wired networks. Only 5% think wireless networks will never be secure enough to adopt.