Close Window

Press Release

Fourth Annual IT Security Survey: Incidences of Unauthorized Intrusions/Hackings of Midsize Enterprises Increased Significantly in 2008

BOCA RATON, FL and ALBUQUERQUE, NM, Oct. 14, 2008 — According to the Fourth Annual Enterprise IT Security Survey of 350 IT managers and network administrators commissioned by VanDyke Software and executed by Amplitude Research that examines best practices in enterprise intrusion defense, 80% of respondents felt that their organization has budgeted sufficiently for information security needs; overall levels of unauthorized access/intrusions are holding steady except for midsize companies which have shown an increase; and a majority of respondents are reporting that such intrusions are potentially resulting in the loss of sensitive or highly sensitive data with a potential of medium or high financial impact on their organization.

Forty-eight percent of the survey respondents (from a mix of small, medium, and large enterprises) indicated that in 2008, his/her organization had experienced a successful unauthorized intrusion of a user machine or office network or server within the past two years. This 2008 result was higher than in previous years, although the increase was not quite large enough to be “statistically significant.” Meanwhile, 61% of the respondents in this year’s study working for midsize organizations (i.e., with between 1,000 and 4,999 employees in the U.S.) reported a hacker / unauthorized intrusion. This was significantly higher than the average result over the previous three years (ranging from a low of 44% in 2006 to a high of 49% in 2007). Sixty percent of respondents working for midsize companies surveyed this year expected an increase in their 2008 IT security budget.

Perception of adequate IT security budget in 2008

Among all size companies, 47% of the survey respondents said their 2008 IT security budget would increase versus their budget in 2007, while overall only 12% said there would be a decline in their 2008 IT security budget versus the budget from the prior year. Less than one-third (29%) of the respondents were aware of their company postponing (but not canceling) any IT security projects during 2008 as a result of a perceived poor economy. Among those aware of their company postponing an IT security project, 61% still expected an increase in their IT security budget for 2008 as compared to 2007.

Intrusions and the damage done

Overall, 42% of the respondents in 2008 indicated that at least one user machine at their office experienced a successful intrusion in the past two years; 31% indicated that their office network experienced a successful intrusion; and 29% reported that one or more of their servers experienced a successful intrusion.

In general, a sizable proportion of companies (almost half of the total sample in 2008) continue to report experiencing hacker/unauthorized intrusions of their user machines, networks, and/or servers within the past two years. A majority of respondents reporting successful intrusions/hacks gave a rating of “high impact” or “medium impact” for the potential financial impact on their organization based on the information that might have been obtained. Similarly, a majority of respondents gave a rating of “highly sensitive” or “sensitive” for the information that might have been obtained as a result of unauthorized intrusions.

Said Steve Birnkrant, Amplitude Research CEO, “Last year, it was somewhat surprising to find that more than half of those experiencing intrusions felt there was a medium or high potential financial impact based on the information that might have been obtained. Now, the 2008 survey results confirm the 2007 findings and further suggest that unauthorized intrusions continue to be, in 2008, a serious concern for many companies.”

Rebound in security monitoring of servers

Most respondents reported that their organizations actively monitor the security of their servers, although 10% in 2008 did not do so. Close to two-thirds (64%) in 2008 reported actively monitoring 90% to 100% of their servers. This result was similar to the 2005 and 2006 surveys, but there was a significant drop in 2007. That is, the proportion actively monitoring most (i.e., 90% to 100%) of their servers dropped significantly from 66% in 2006 to 55% in 2007 and then rebounded significantly in 2008 to 64%. This pattern occurred within the small, midsize, and large company size categories.

Who is auditing now?

A new question was added to this year’s survey to find out what kind of security auditing practices enterprises have been using, if any. The results ranged from 12% reporting an outside security audit as frequently as twice a year or more often to 20% having never undergone a formal security audit by an outside organization.

Forty-four percent of those undergoing an outside audit twice a year or more often reported a successful intrusion. Among those who had an outside security audit once a year or every two years, 59% reported an intrusion. “This almost confirms that frequent outside security audits help reduce intrusions,” said Amplitude Research’s Birnkrant. However, Birnkrant emphasized that the relationship between the frequency of external audits and intrusion protection success is, at this point, inconclusive since this is the first year the question appeared on the survey and additional data is needed.

Where IT professionals go for best practices information

A wide variety of sources are used to learn about security best practices, as shown in the table below. For many sources, the results were very consistent year to year. However, there has been a slight decline in usage of books and newsletters. Meanwhile, there has been a slight increase in attendance at conferences.

Where Do You Get Information About Security Best Practices?
 
2005
2006
2007
2008
Security-related websites
69%
67%
68%
65%
Trade magazines (e.g., eWEEK, Network Computing, Secure Enterprise)
68%
68%
64%
62%
Training courses from professional organizations (e.g., SANS)
53%
54%
61%
58%
Conferences (e.g., NetSec, USENIX)
50%
55%
54%
59%
Online discussion forums
49%
51%
47%
50%
Books (e.g., O'Reilly, Wiley, Addison-Wesley, Microsoft Press)
49%
43%
42%
37%
Newsletters
49%
43%
41%
36%
Local training courses (e.g., college or university, user groups)
37%
34%
36%
37%
Security-related blogs
33%
35%
38%
33%
USENET groups
33%
33%
34%
32%

The 2008 study was commissioned by VanDyke Software and conducted online by Amplitude Research over the period September 17th to September 19th, 2008 among Amplitude’s nationwide technology panel and had 350 total survey respondents with a maximum sampling margin of error of 5.2%. The survey asks questions pertaining to a variety of IT practices currently used by enterprises to defend against intrusions and hackers. To obtain an executive summary of the 2008 survey results, contact Jill Christian at VanDyke Software (Jill.Christian@vandyke.com) or Michael Krems of Krems Public Relations at krems@kremspr.com.

About Amplitude Research, Inc.

Amplitude Research® is a privately owned survey research organization headquartered in Boca Raton, Florida, with blue chip clients located throughout the United States and Canada. Amplitude combines its proprietary survey platform and experienced professional services to deliver actionable survey results. Amplitude's proprietary Panelspeak® Technology Panel (www.panelspeak.com) was formed in early 2002 and can reach more than 75,000 IT professionals representing all types and sizes of organizations, and includes such job titles as network or system administration, IT manager, software developer, web developer, technical support specialist, and C level or higher IT professionals including CTOs, CIOs, and MIS managers. The name "Amplitude" Research and its tagline "loud and clear" signify Amplitude's high-quality statistical and reporting services tailored to meet each client's specific needs. For more information about Amplitude Research, visit the company's web site at http://www.amplituderesearch.com.

About VanDyke Software, Inc.

IT professionals who are responsible for network administration and end-user access where security is critical rely on VanDyke Software's rock solid and easy to configure software. The company develops secure, standards-based data access, file transfer, and communications software for internet and intranet use by corporations, government, and education. VanDyke Software consistently delivers accurate, responsive support, and addresses its customers' evolving needs with timely product enhancements. VanDyke offers a fully-supported 30-day evaluation of its products prior to purchase. For more information about VanDyke Software, visit the company's web site at http://www.vandyke.com.

Download Report (PDF)

 
Close Window