Indian firms perceive cyber attacks as bigger threat than terrorism

09 Mar 10

Symantec Corporation today released the India findings of its global 2010 State of Enterprise Security study. The study found that 42 per cent of Indian enterprises rate cyber security their top issue. This isn’t a surprise, considering that 66 per cent of enterprises experienced cyber attacks in the past 12 months.

These attacks cost Indian enterprises an average of over Rs. 58 lakh in lost revenue in 2009, apart from bigger financial losses due to loss of confidential data and productivity. Finally, organizations reported that enterprise security is becoming more difficult due to understaffing, new IT initiatives that intensify security issues and IT compliance issues.

“Protecting information today is more challenging than ever,” said Vishal Dhupar, managing director, Symantec India. “By putting in place a security blueprint that protects their infrastructure and information, enforces IT policies, and manages systems more efficiently, businesses can increase their competitive edge in today’s information-driven world.”

Study Highlights:

Enterprise security is IT’s top concern

Security is of great concern to Indian enterprises. Forty-two per cent of the enterprises surveyed rank cyber risk as their top concern, more than natural disasters, terrorism and traditional crime combined. Reflecting that perception, Indian enterprises are intently focused on IT security.

In fact, the study revealed that 81 per cent of the organizations feel better managing business risk related to use of IT is an important focus area for 2010. Furthermore, 92 per cent of the organizations said IT security budgets would stay the same or increase in 2010.

Enterprises are experiencing frequent attacks

In the past 12 months, 66 per cent of Indian enterprises experienced cyber attacks. Worse, 51 per cent reported that cyber attacks have stayed the same or grown over the past 12 months. The attacks experienced in 2009 were a combination of external and internal attacks.

While 34 per cent experienced an extremely/somewhat high number of external malicious attacks, 23 per cent experienced an extremely/somewhat high number of internal malicious attacks. Insider negligent actions were also a significant factor, with 31 per cent of the Indian enterprises surveyed experiencing an extremely/somewhat high number of these attacks.

Interestingly, while 51 per cent stated that external malicious attacks grew quickly in 2009, over 40 per cent revealed that internal attacks increased rapidly too.

Costs of cyber attacks are high

Each of the cyber attacks mounted by Indian enterprises in 2009 had a financial impact, with 100 per cent of the surveyed organizations reporting a loss of revenue and 81 per cent reporting a direct financial cost. Apart from these, costs of damaged brand reputation, loss of customer trust and litigation were also high. Ninety per cent of enterprises faced a cost to comply with regulations after an attack, reflecting the need for enterprises to prevent such attacks in the first place.

While the average revenue lost by Indian enterprises due to cyber attacks was Rs. 58,59,234 in 2009, the value of lost confidential data and lost productivity was also high. Indian enterprises lost an average of Rs 94,56,216 in organization, customer and employee data in 2009, and an average of Rs. 84,57,037 in productivity.

Enterprise security becoming more difficult

Not surprisingly, IT security is becoming an imposing issue for Indian enterprises, with 58 per cent being extremely concerned and 19 per cent somewhat concerned about loss of confidential data. However, enterprise security is becoming more difficult due to a number of factors.

First, enterprise security is understaffed, with the most impacted areas being network security, endpoint security, web security and data loss prevention. Second, enterprises are embarking on new initiatives that make providing security more difficult. Initiatives that IT rated as most problematic from a security standpoint include infrastructure-as-a-service, platform-as-a service, server virtualization, endpoint virtualization, and software-as-a-service.

Recommendations

Organizations need to protect their infrastructure by securing their endpoints, messaging and Web environments. In addition, defending critical internal servers and implementing the ability to back up and recover data should be priorities. Organizations also need the visibility and security intelligence to respond to threats rapidly.

IT administrators need to protect information proactively by taking an information-centric approach to protect both information and interactions. Taking a content-aware approach to protecting information is key in knowing where sensitive information resides, who has access, and how it is coming in or leaving your organization.

Organizations need to develop and enforce IT policies and automate their compliance processes. By prioritizing risks and defining policies that span across all locations, customers can enforce policies through built-in automation and workflow and not only identify threats but remediate incidents as they occur or anticipate them before they happen.

Organizations need to manage systems by implementing secure operating environments, distributing and enforcing patch levels, automating processes to streamline efficiency, and monitoring and reporting on system status.

Get the latest stories first with info4security's newsletters: Click to signup

Post and bookmark this story at the following sites:

What is this?

del.icio.us	Digg	Reddit	Google	Newsvine