Findings of Study into Corporate End User Perceptions of IT Security Threats

Today, the findings of a study into corporate end user perceptions of and experiences with security threats compared to a similar study conducted in 2005 were announced by TrendMicro. The study tracked responses from 1600 corporate computer end users across U.S., U.K., Germany and Japan and compared them to analysis from Trend Micro TrendLabsSM global threat research network and a similar study conducted in 2005.

Both Trend Micro research and the survey findings recognize an increase in spam between 2005 and 2007, yet fewer corporate end users in the U.S. acknowledge having received spam. U.K. respondents generally perceive security threats to be less serious in 2007 compared to 2005. However, German respondents by contrast, consider all threats to be more serious in 2007 compared to 2005.

Interestingly, according to threat research, digital threats increased 163 percent between December 2005 and November 2006. Specifically, Web threats grew by 540 percent from January 2005 to January 2007. End users may show a lack of concern for the seriousness of threats owing to the silent and invisible nature of many new infection routines.

Worldwide, viruses, spam and spyware continue to be security threats that end users are most aware of. In particular, in Japan the awareness for spyware increased significantly from 76 percent in 2005 to 93 percent in 2007.

Although 4 in 10 respondents in all countries indicated that they have received more spam over the past three months, when compared to the 2005 study U.S. respondents reported an overall decline in the percentage of spam received (84 percent in 2005 compared to 72 percent in 2007).

By contrast, spam tracking saw the amount of French and German language spam peak last summer (between May and August 2006) in enormous quantities, spam numbers fluctuated between 1 million and 6 million pieces per month. This trend later slowed to between 7 thousand and 10 thousand messages per month.

From September 2006 to December 2006, the quantity of Japanese language spam peaked at almost 1 million, but numbers have now reverted back to an average of 350 thousand per month. English-language spam peaked in August 2006 at around 39 million, and is now down to an average of 2 million per month.

The fluctuation in quantities of spam tracked is owed both to the growth of image spam and also the introduction of new technologies such as that which can identify and block image spam.

Similar to spam encounters in the survey, the percentage of respondents who encountered spyware declined in the U.S. (41 percent in 2005 versus 35 percent in 2007) and Germany (23 percent in 2005 versus 19 percent in 2007) but most notably in the U.K. (42 percent in 2005 versus 26 percent in 2007).

Similar to spam, it is likely that the decrease in spyware may be due to the increased complexity and sophistication of attacks and that end users are less able to identify new, silently installing malicious code.

Other noteworthy findings include:

• Japanese end users rely most upon their IT department. In the three months prior to the study being carried out, 44 percent contacted their IT department. By contrast, U.S. end users are least reliant on their IT department for advice and support with only 24 percent contacting the department during this same time period.
• U.S. respondents are generally more confident in the protection provided by corporate computers with about 40 percent indicating that their work computers are better protected than home computers against spam, spyware and phishing. As a result, they are more likely to click on suspicious links or websites using their work computers (17 percent), particularly when compared to respondents in Germany (8 percent).
• However, U.S. respondents are also more likely to take most security threats seriously - especially relative to respondents from the U.K. As an example, 60 percent of U.S. respondents indicated that they view spyware as a serious threat while only 48 percent of U.K. end users viewed it as such. Similarly, 48 percent of U.S. end

• users recognised the danger of spam while only 27 percent of U.K. end users perceived this to be a serious threat.
• 48 percent of all respondents who have been victims of spyware or phishing scams believe that their IT department could have prevented the incident.
• Identity theft, loss of personal information and privacy violations are the biggest concerns related to phishing, pharming and spyware. Loss of computer performance or productivity is the biggest concern related to spam, viruses and Trojans. Malicious downloads are also a key concern related to viruses, Trojans and web threats.
• Use of security software is the main action taken to protect against pharming, spyware, trojans, viruses and web threats. Close monitoring of email is the leading action taken to protect against spam and phishing.

Given the increased number and sophistication of spam and phishing attacks, continued education of corporate end users is urged. In addition to being an inconvenience to end users, spam and phishing attacks often include links to sites hosting malicious threats such as spyware. Infections through this route pose a serious threat because victims of such attacks become vulnerable to personal and corporate information theft.

While end users in certain countries recognize the seriousness of threats, they are also more likely to take risks and open suspicious documents or click on suspicious links from corporate computers. Perhaps owing to the availability and reliance on support teams in the corporate environment, they feel less personally responsible for secure habits and practices at work, and more responsible on their home computer when their personal security is at stake.