|
|
Authority:
Risk Guidance:
Control Guidance:
|
Relevance:
Background Facts:
- VanDyke Software commissioned Amplitude Research to survey 353 network and system administrators on network security:
- respondents were from various industries:
- aerospace/defense contracting, agriculture and food/beverage products, automotive;
- banking/finance, business services, insurance, legal;
- computer hardware and software, systems integration;
- education, non-profit, government/municipal, utilities;
- entertainment and media, retail;
- healthcare and pharmaceutical;
- internet e-commerce, web hosting/ISP, telecommunications;
- manufacturing, construction/architecture; and
- transportation, travel.
Relevance to Business Activities:
- security - administrative safeguards considerations:
- IT/security budgets:
- how is the overall IT budget for 2010 changing as compared to 2009:
- decrease by more than 10% - 12.2%;
- decrease by less than 10% - 9.9%;
- no change - 34.27%;
- increase by less than 10% - 22.7%;
- increase by more than 10% - 15.3%; and
- do not know - 5.7%.
- how is the IT security budget for 2010 changing as compared to 2009:
- decrease by more than 10% - 9.6%;
- decrease by less than 10% - 9.6%;
- no change - 45.3%;
- increase by less than 10% - 19.5%;
- increase by more than 10% - 10.2%; and
- do not know - 5.7%.
- has the organization budgeted sufficiently to support current information security needs:
- no - 43%;
and - yes - 57%.
- respondents who felt that their organization had budgeted sufficiently were more likely to report an increase (38%) than a decrease (18%) in their budget.
- IT staffing:
- 17% of organizations were increasing the size of their IT security staff:
- how is the organization changing the size of the IT security staff for 2010 as compared to 2009:
- significant decrease in size of IT security staff - 2.8%;
- decrease in size of IT security staff - 9.1%;
- no change - 71.1%;
- increase in size of IT security staff - 15.9%; and
- significant increase in size of IT security staff - 1.13%.
- is the organization sufficiently staffed to support current information security needs:
- no - 43%; and
- yes - 57%.
- of respondents who felt their organization is sufficiently staffed, 17% saw an increase in staff levels and 5% saw a decrease.
- the economy:
- which external events had the greatest impact on information security plans:
- the economy - 32.3%;
- customer, vendor or business partner requirements - 27.2%;
- legislative drivers (e.g. HIPAA, SOX, GLBA) - 21.5%;
- homeland security - 6%; or
- none of the above - 13%.
- has the company cancelled any 2010 IT security projects as a result of a perceived poor economy:
- no - 78%; and
- yes - 22%.
- how does the company address information security issues:
- using internal staff and resources - 76.5%;
- employing a security consultant to advise and assist internal staff - 21%; and
- outsourcing to a managed service provider or consulting firm (e.g. IBM, Accenture, etc.) - 2.5%.
- security - administrative and technical safeguards considerations:
- worries of system and network administrators:
- what keeps network administrators up at night:
- a security breach to the network - 38.8%:
- the company's users - 38.2%:
- the company's recovery plan (or lack thereof) - 32.3%:
- worrying about the next virus/worm - 22.4%:
- held steady compared to 2009.
- a security breach to the company website - 14.2%:
- none - 26.06%.
- respondents who felt they had an insufficient IT security budget were more likely to have a worry that keeps them up at night.
- cloud computing:
- to what extent has the company adopted cloud computing for one or more applications:
- have not adopted and not currently considering - 38.2%;
- currently considering but not adopted - 46.7%; or
- adopted - 15%.
- if cloud computing has been adopted, rate its security:
- not at all secure - 1.9%;
- not very secure - 7.5%;
- somewhat secure - 43.4%;
- very secure - 43.4%; and
- do not know - 3.8%.
- if cloud computing has not been adopted:
- rate its security:
- not at all secure - 3.3%;
- not very secure - 11.3%;
- somewhat secure - 56%;
- very secure - 13.7%; and
- do not know - 15.7%.
- are security concerns the primary reason cloud computing has not been adopted:
- no - 38.6%; and
- yes - 61.4%.
- Mac OS X platform:
- has the company adopted the Mac OS X platform for one or more of its computers:
- no - 63.5%; and
- yes - 36.5%.
- level of satisfaction with Mac OS X security in comparison with the last system used:
- not at all satisfied - 3.9%;
- slightly satisfied - 9.3%;
- moderately satisfied - 35.7%;
- very satisfied - 30.2%; and
- extremely satisfied - 20.9%.
- automated patch management:
- 69% of organizations use an automated patch management tool to distribute and install critical updates to operating systems and/or applications:
- primary reasons organizations do not use an automated patch management tool:
- not a priority - 34.9%;
- cost - 29.4%;
- security issues - 21.1%; or
- other - 14.7%.
- security management priorities:
- most important security management issues:
- securing remote access - 25%;
- keeping virus definitions up to date - 15%;
- patching systems - 10%;
- monitoring intrusions - 10%;
- secure file transfer - 11%;
- network use monitoring - 7%;
- user awareness - 8%;
- password management - 5%;
- user training - <5%;
- managing logs - <5%; and
- replacing non-secure protocols - <5%.
- security at the company:
- areas of current security where respondents are somewhat or very dissatisfied:
- laptops - 18.7%;
- handheld devices - 15.3%;
- physical security (facility and workstation access) - 11.1%;
- remote access by employees, customers and/or partners - 9.6%;
- desktops - 9.1%;
- wireless LAN - 9.1%;
- virtual machines - 4.8%; and
- data center/server farm - 4.2%.
- online communities and collaboration considerations impacting security - administrative and technical safeguards:
- social media:
- social media includes social networks, blogs, online video, microsharing, widgets, etc.;
- 88% of network administrators were concerned about the potential security threat of employees using social media:
- how concerned are administrators with employee use of social media as a security threat to the company:
- not at all concerned - 12.2%;
- slightly concerned - 22.1%;
- somewhat concerned - 26.1%;
- moderately concerned - 21.8%; and
- extremely concerned - 17.8%.
- concerns related to employee use of social media:
- viruses - 22%;
- unproductive/time wasted - 21%;
- security/intrusion risk - 19%;
- data leaks - 16%;
- privacy - 7%;
- malware - 5%; and
- uses bandwidth - 4%.
- what degree of access do employees have to social media when using company networks:
- no access - 15.3%;
- limited access - 48.2%; and
- unlimited access - 36.5%.
- does the company have a formal policy regarding employee use of social media:
- no - 44.5%:
- 59% of these organizations allow employees unlimited access to social media when using the company network.
- yes - 55.5%:
- only 18% of these organizations allow unlimited employee access.
- policies may:
- provide guidelines about appropriate versus inappropriate sharing of company information; and
- restrict or prohibit using social media while at work or using company equipment.
- a prohibition on social media usage at work would not solve all security problems, e.g. employees could use social media at home:
- revealing information:
- about the company and/or work practices; or
- that a hacker could use to gain unauthorized network access.
- leading to a virus inadvertently being transferred to the company network, if files are shared between home and work.
- social media is often considered a relatively important company security issue:
- as compared to other security threats facing the company, how important is managing the security of social media:
- not at all important - 9.3%;
- slightly important - 15.9%;
- somewhat important - 30.9%;
- very important - 34.6%; and
- extremely important - 9.3%.
- working remotely considerations:
- smartphones:
- as compared to other security threats facing the company, how important is managing the security of employee smartphones:
- not at all important - 12.7%;
- slightly important - 17.8%;
- somewhat important - 28.3%;
- very important - 32%; and
- extremely important - 9%.
- securing remote access:
- how does the organization configure its network:
- HTTPS - 65%;
- HTTP - 42%;
- SSH2 - 45%:
- SSH1 - 31%; and
- Telnet - 36%:
- 68% of respondents reported that their organization uses Secure Shell ("SSH"):
- this follows an upward trend in the use of SSH since 2004; and
- SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices.
- is the organization using SSH1 or SSH2:
- all SSH1 - 8%;
- mostly SSH1 - 17%;
- equally both SSH1 and SSH2 - 31%;
- mostly SSH2 - 25%; or
- all SSH2 - 19%.
Source Document:
http://www.vandyke.com/aboutus/news/pressreleases/company/it_survey042010.pdf