Security practitioners know hackers are working overtime to attack their networks; that they're relying on outdated and unreliable security protocols. Despite it all, many still get a good night's rest.
Of 337 IT managers and administrators surveyed April 26-30, 32% worry about "the next virus/worm" and an equal percentage fear "a security breach to the enterprise's network." But 34% said they have "no worries" at all and "sleep like a baby," according to results published this week by a Michigan research firm.
Asked which factors they consider most in their security planning, a little more than 10% said homeland security, 39% said customer/vendor/business partner requirements and 23% cited legislative mandates like HIPAA, Sarbanes-Oxley and GLBA. The poll was conducted right before the Sasser worm outbreak.
"I guess the message here is that ignorance is bliss," said Steve Birnkrant, chief executive officer of Amplitude Research Inc., which conducted the survey on behalf of Albuquerque, N.M.-based VanDyke Software Inc. "What most surprised me was the general sense of complacency. Much has been written in the media about security issues, and this makes me wonder if people are listening."
Birnkrant added, "One of the more interesting findings, when you peel the onion a bit and look at the network administrator's concerns, is that those who report homeland security as being the greatest concern are more likely than other respondents to express the belief that their company has budgeted sufficiently to support their current information security needs. For the largest companies with more than 20,000 employees, a significant percentage selected legislative drivers as currently having the greatest impact on information security plans, with only one respondent in the one-to-nine-employee size range selecting this choice."
Of the network administrators who said they have no worries and sleep like a baby, almost half -- 44.9% -- have 25 to 99 employees. A quarter of sound sleepers have one to nine employees while 14% have 10,000 to 19,999 employees.
A majority of all respondents -- 51.94% -- said their organization's budget for information security needs is insufficient. Of them, 63.16% have 25 to 99 employees while 42.31% have 10,000 to 19,999. Asked what their top security management priorities are, results, based on respondents being allowed to check off more than one category, broke down as such:
- keeping virus definitions up to date (69%)
- securing remote access (45%)
- patching systems (42%)
- monitoring intrusions (36%)
- user awareness (26%)
- spam (24%)
- network use monitoring (20%)
- password management (18%)
- user training (12%)
- managing logs (6%)
About 43% of respondents said they're using the Secure Shell (SSH) protocol to protect data, secure remote access, and perform network management. But while the current SSH2 is considered to be significantly more secure, nearly 45% said they are continuing to mostly use the older SSH1 protocol. A cause for greater concern, according to the surveyors, is that 54.9% said they continue to configure their network devices via Telnet, which is known by network security experts to be severely vulnerable to intruders because it sends data as clear text and offers only weak password authentication.
For Marc Orchant, head of communications at VanDyke, that was one of the biggest shockers, especially since it costs little or nothing to upgrade these protocols.
"I'm not advocating losing sleep or getting an ulcer, but it surprises me that more people are not taking advantage of upgrades they can get cheaply or for free," Orchant said. "They need to take a second look at some of the opportunities available to them."