To develop a vaccine, researchers must first study those afflicted with a virus. Cyber-security works in similar fashion. To develop methods of prevention, the experiences of those who have been attacked are invaluable.
That was at least partly the goal Symantec had in mind when the company conducted research for its Symantec 2010 Critical Infrastructure Protection Study, a survey of 1,580 enterprises from around the globe and across multiple industries. The results were published online this month.
“It wasn’t intended to draw in and make judgment calls on why they think what they think, but really just to get an understanding of what they think,” said Justin Somaini, the company’s chief information security officer.
The company partnered with Applied Research to poll professionals from big and small business in banking and finance, communications, emergency services, energy, health care and public health and IT — with the aim to leverage lessons learned from enterprises that had suffered cyber-attacks.
“It’s really just putting a microphone in front of the corporations, whether big or small, and this did cover a lot of small companies as well as large enterprises, all the way up to well over 10,000 people and all the way down to a couple hundred,” Somaini said. The survey highlighted was companies are dealing with when protecting their critical infrastructure.
The research data showed:
• Eighty percent of companies believe that cyber-attacks have stayed constant or have increased over time, and 48 percent expect attacks over the next year.
• Past attacks have cost each company an average of $850,000 over the last five years.
• Only one-third of companies consider themselves extremely prepared for attacks.
Somaini said that Symantec has seen a significant increase in the amount of malware that’s been coming out over the past five years, justifying organizations’ belief that attacks are on the rise.
“It really goes to some of the fears that are out there of how they perceive the threat landscape increasing,” he said.
The survey also gauges how organizations feel about government critical infrastructure programs, and the opinions are generally favorable. Two-thirds have positive attitudes about them, labeled as “accepting,” “appreciative,” and “enthusiastic” on the research materials. Two-thirds also express that they’re willing to cooperate with the programs.
“I would have thought there would have been a little bit of cynicism or guardedness or something, but for them to have a positive attitude about critical infrastructure programs coordinated by the government — if I was the government, that’s great news,” said Cris Paden, Symantec spokesperson for public sector and government relations. “That means you have a willing audience out there that is interested in hearing what you have to say, and that they’re willing to cooperate.”
The report also notes that relying on technology alone to safeguard networks isn’t enough. There must be education for employees and processes in place because security is both a team and individual effort.
“It’s about building security into the DNA of all employees as well as into the processes, whether that’s things like change management or project management or any of the other staple processes at the company,” Somaini said.