The state of endpoint risk is not improving according to the fourth annual report researched by the Ponemon Institute and commissioned by Lumension to track endpoint risk, organizational threat strategy and resource availability. In this year’s State of the Endpoint Risk study, IT professionals reported the flood of mobile devices entering their corporate networks, advanced persistent threats and third-party application vulnerabilities are their primary pain points moving into 2013. A few short years ago, these concerns barely made the list.
“Once again, we found the changing security terrain is preventing the state of endpoint security from improving,” said Dr. Larry Ponemon, Chairman and Founder, the Ponemon Institute. “With the rise of hacktivism and advanced persistent threats, along with the sheer number of malware incidents we are seeing today, IT simply cannot keep up with the bad guys. Add to this fact that end users are furthering the complexity of the IT environment by bringing in mobile devices and downloading third-party applications – causing risk to exponentially proliferate. IT simply must take further action before the risk is beyond their control.”
Click through for findings from an endpoint security study conducted by the Ponemon Institute on behalf of Lumension.
One of the top concerns cited was the proliferation of personally owned mobile devices in the workplace, such as smartphones and tablets. Eighty percent of those surveyed said that laptops and other mobile data-bearing devices pose a significant security risk to their organization’s networks. Yet, with only 13 percent stating they use stricter security standards for personal over corporate-owned devices and 29 percent reporting no security strategy for employee-owned devices at all, there is a clear disconnect between awareness and action. These figures are staggering when compared to the 2010 survey. At that time, only 9 percent of respondents said mobile devices were a rising threat. This year, 73 percent rank mobile as one of the greatest risks within the IT environment.
This year’s State of the Endpoint study also found that IT professionals view third-party applications as a major security threat. In fact, 67 percent of those surveyed reported they viewed third-party applications as a significant risk – second to mobile security risk. In previous year’s surveys, the server environment, data centers and operating system vulnerabilities were cited as primary concerns. With the proliferation of mobile devices, along with the wide range of software and removable media commonly used in today’s enterprise environment, IT practitioners are increasingly worried about the attack vectors these third-party tools could bring into the corporate network. Google Docs and Adobe, including Flash and Adobe Reader are the applications of greatest concern.
Malware attacks are increasing. Fifty-eight percent of respondents say their organizations have more than 25 malware attempts or incidents each month and another 20 percent are unsure.
“It’s frightening that since we began this survey four years ago, the threatscape has expanded significantly and yet IT’s efforts in fighting malware and the tools they are using to do so remain consistently the same,” said Pat Clawson, Chairman and CEO, Lumension. “Clearly, IT is concerned but ill-equipped to deal with these issues. This may be due to lack of budget or lack of confidence in the tools they have at their disposal. We need to ensure that these issues are being raised to the C-suite, so that IT can secure the tools and funds they need to deal with this ever-growing challenge.”
In addition to mobile security risk, the security concern that represents the biggest headache for 2013 is advanced persistent threats (APTs). Whereas worms and less harmful viruses were a concern in earlier reports, today’s IT teams consider APTs and hacktivism a real, global threat. 36 percent of those surveyed reported that they viewed advanced persistent threats as a “significant” threat to their environments while just 24 percent of respondents held this view last year. In addition, only 12 percent of those surveyed this year stated that current antivirus/anti-malware technology is very effective in protecting their IT endpoints from today’s malware risk.
- Eighty-five percent of respondents are very concerned or increasingly concerned about Mac malware infections. This percentage remains unchanged from 2011.
- Higher IT operating expenses are blamed on malware.
- The lack of an enforceable centralized cloud security policy is putting unstructured confidential information at risk. Forty-five percent of respondents say their organization does not enforce employees’ use of private clouds and 14 percent are unsure.
- Controlling access privileges is often non-existent in organizations represented in this study. Sixty percent do allow local admin privileges to part of their user environment or to the entire user environment.