The shaky state of enterprise security

Faced with a seemingly endless onslaught of virulent Internet worms, spam, and e-mail scams, less than half of IT professionals report strong confidence in the security of their enterprise networks, according to the results of the 2004 InfoWorld Security Survey.

The picture that emerged from a poll of more than 600 IT professionals in our June online survey was one of wariness in the face of a wide range of threats, from insecure operating systems to online “spoofing” attacks.

Only 38 percent of IT professionals said they are “very confident” in their enterprise security, and a mere 8 percent said they are “extremely confident” in it. A plurality of those responding, 43 percent, said they are “somewhat confident” -- hardly a ringing endorsement.

The results mirrored the June 2003 survey, when IT managers emphasized similar concerns, with 41 percent saying they were “very confident” and 8 percent indicating they were “extremely confident” in their security systems. These percentages fell within the 3.98 percent margin of error in the 2004 survey. 

IT leaders also report that lack of adequate staffing and training to shore up security measures are prime concerns. And, while Trojan horses, viruses, and worms remain the chief threats for IT leaders, application vulnerabilities are growing rapidly in importance, as an increasing number of applications are made available over the Internet.

On the defensive

But why such a sense of worry, despite efforts to fortify defenses? Try a storm of online threats, including Net and e-mail worms that buffeted corporate network defenses in the past 12 months.

The situation reached a fever pitch in March, when competing virus writers pushed out the steady stream of foul-mouthed, insult-bearing MyDoom, Netsky, and Bagel worms, sometimes releasing multiple new variants on a single day. The onslaught of virulent Internet and e-mail worms bogged down their share of networks and almost certainly dragged down the confidence of many network administrators, as well.

“You had worms like Blaster that got around [perimeter] firewalls, and that told you that your perimeter protections were not enough. That scared a lot of people,” says Alan Paller, director of research at The SANS Institute.

Survey respondents seem to agree. Nearly 30 percent of them said that malicious code, including Trojan horse

Click for larger view.

programs, worms, and viruses are the greatest single threat to their company’s enterprise network security. That’s similar to 2003, when Trojans, viruses, and worms were the top concern for IT administrators.

Keeping the wolf from the door

Despite continuing fears, survey respondents said again this year that their organization suffered only a few successful attacks on their network from malicious hackers, Trojan horse programs, worms, and other threats.