Symantec Corp today announced the India findings of its 2011 State of Security Survey Report, which explored the state of cybersecurity in organizations of all sizes. The survey found that Indian organizations are focusing their efforts on mitigating business risks posed by cloud, mobile and social computing, along with targeted attacks, which are making security more difficult. In fact, over half the respondents revealed that cybersecurity is more important today than it was a year ago.
“Today, critical information assets are dispersed across the cloud, smart devices and social media, bringing new challenges in security,” said Shantanu Ghosh, VP and MD, India product operations, Symantec. “As Indian organizations realize the importance of a holistic strategy in minimizing the business impact of cybersecurity issues, they are better positioned to protect themselves against security-related revenue, data and brand losses.”
New Security Challenges
In a reflection of the concerns that prevail around cloud computing, 62 per cent of Indian businesses agreed that private cloud computing makes security more difficult, and 62 per cent also indicated the same for public software-as-a-service. Enterprises that are embracing mobile and social computing at the workplace are also facing challenges.
Fifty eight per cent of Indian respondents feel that mobile computing is increasing the difficulty of providing cybersecurity, and 53 per cent face a similar challenge with social media. These new technologies, if not appropriately addressed in the security strategy of an organization, can also increase the insider threat to data. Fifty-one per cent of respondents see the well-meaning insider as a somewhat/extremely significant threat, and 52 per cent consider malicious insiders as a somewhat/extremely significant threat.
Attackers Continue to Target Indian Businesses
Nearly three-fourths of Indian respondents – across sectors such as education, IT, manufacturing, government and financial services – experienced cyber attacks recently, with 72 per cent indicating that they had witnessed attacks in the past 12 months.
Hacking, targeted attacks and industrial espionage are perceived as threats, with one in two organizations experiencing targeted attacks. Furthermore, 92 per cent of victim organizations experienced losses due to cyber attacks, with these losses translating into actual costs for 94 per cent. While 37 per cent of respondents experienced downtime, 31 per cent faced loss of customer personally identifiable information and 28 per cent lost intellectual property.
However, on a positive note, victims valued the revenue lost due to cyber attacks at Rs 41.3 lakh, a 40 per cent reduction over the previous year. Respondents also valued the cost of regulatory fines at Rs 26.4 lakh on average and the loss of brand reputation at Rs 33 lakh.
Indian Businesses Proactive in Security Approach
The reduced cost of cyber attacks can be attributed to the increased focus on cybersecurity, which over half the respondents said is more important now than it was a year ago. Over 53 per cent are planning significant changes to enterprise security in the next 12 months, primarily in the areas of risk management, endpoint security and web security. Businesses are also addressing the challenges posed by new computing models by allocating additional resources in terms of budget and manpower.
Fifty four per cent are increasing their budgets for private cloud security and 53 per cent are planning the same for public cloud security initiatives. Similarly, businesses are also looking at manpower capacity growth for private cloud security (58 per cent) and public cloud security (62 per cent).
Recommendations
– Organizations need to develop and enforce IT policies. By prioritizing risks and defining policies that span across all locations, businesses can enforce policies through built-in automation and workflow to protect information, identify threats, and remediate incidents as they occur or anticipate them before they happen.
– Businesses need to protect information proactively by taking an information-centric approach to protect both information and interactions. Taking a content-aware approach to protecting information is key in identifying and classifying confidential, sensitive information, knowing where it resides, who has access to it, and how it is coming in or leaving your organization. Proactively encrypting endpoints will also help organizations minimize the consequences associated with lost devices.
– To help control access, IT administrators need to validate and protect the identities of users, sites and devices throughout their organizations. Furthermore, they need to provide trusted connections and authenticate transactions where appropriate.
– Organizations need to manage systems by implementing secure operating environments, distributing and enforcing patch levels, automating processes to streamline efficiency, and monitoring and reporting on system status.
– IT administrators need to protect their infrastructure by securing all of their endpoints – including the growing number of mobile devices – along with messaging and Web environments. Defending critical internal servers and implementing the ability to back up and recover data should also be priorities. In addition, organizations need visibility, security intelligence and ongoing malware assessments of their environments to respond to threats rapidly.
Symantec’s 2011 State of Security Survey
Applied Research fielded this survey by telephone in April and May 2011. The results are based on 3,300 responses in 36 countries. The company surveyed C-level professionals, strategic and tactical IT, and individuals in charge of IT resources from companies with a range of 5 to more than 5,000 employees.
Of the total responses, 1,225 were from companies with 1,000 or more employees. The survey included respondents in 36 countries in North America, EMEA (Europe, Middle East and Africa), Asia Pacific and Latin America.