Attacks on Web servers doubled in 2001 compared to 2000 and nearly 90 percent of companies surveyed have been infected with worms or viruses, despite having antivirus software installed, according to the Information Security Industry Survey, performed annually by Information Security magazine.
Information Security magazine, which is owned by security firm TruSecure Corp., conducted the survey from late July to early August and received responses from 2,545 information security workers. Nearly 50 percent of the companies surveyed experienced attacks against their Web servers from external sources in 2001, up from 24 percent in 2000, the study found. Nearly 90 percent were hit with worms, viruses or trojans, almost 40 percent suffered denial of service attacks and a third faced buffer overflow attacks, the survey found.
Security threats from those inside the company were more varied and frequent, but somewhat less serious, the study found. Seventy-eight percent of respondents said that company employees had installed or used unauthorized software and 60 percent used company computers for unauthorized or illegal purposes. Fewer than 60 percent of companies reported internal hacking incidents, while 58 percent cited abuse of access controls, 22 percent said employees had engaged in electronic theft, sabotage or leaks and 9 percent said computers were used for fraud. All numbers were down compared to 2000.
Malicious code, privacy and confidentiality issues and protection against exploits (automated attack tools and methods of attack security vulnerabilities) topped the list of issues of concern for 2001-2002, respondents said.
Despite these concerns, and the findings that internal threats are more common than external, the top security projects slated for 2001-2002 involve strengthening the network perimeter to prevent external attacks, ensuring the security and availability of Web sites and adding security for messaging and remote workers, the study found.
Those projects may not be easily attained, however, as survey respondents reported a number of obstacles to providing better security. Chief among those obstacles are budgetary concerns. Fifty-four percent of those surveyed expect their security budgets to increase in 2001-2002, the same percentage that felt that way in 2000-2001. Twenty-nine percent, however, said that their budgets for 2001 have been frozen due to the economy.
Other barriers to good security include a lack of employee or end-user training, a lack of support from management and the inability to find competent computer security staff, the study found.