Attacks on Web servers doubled in 2001 compared to 2000 and nearly 90 per cent of companies surveyed have been infected with worms or viruses, despite having antivirus software installed, according to the Information Security Industry Survey, performed annually by Information Security magazine.
Information Security magazine, which is owned by security firm TruSecure, conducted the survey from late July to early August and received responses from 2,545 information security workers. Nearly 50 per cent of the companies surveyed experienced attacks against their Web servers from external sources in 2001, up from 24 per cent in 2000, the study found. Nearly 90 per cent were hit with worms, viruses or trojans, almost 40 per cent suffered denial of service attacks and a third faced buffer overflow attacks, the survey found.
Security threats from those inside the company were more varied and frequent, but somewhat less serious, the study found. Seventy-eight per cent of respondents said that company employees had installed or used unauthorised software and 60 per cent used company computers for unauthorised or illegal purposes. Fewer than 60 per cent of companies reported internal hacking incidents, while 58 per cent cited abuse of access controls, 22 per cent said employees had engaged in electronic theft, sabotage or leaks and 9 per cent said computers were used for fraud. All numbers were down compared to 2000.
Malicious code, privacy and confidentiality issues and protection against exploits (automated attack tools and methods of attack security vulnerabilities) topped the list of issues of concern for 2001-2002, respondents said.
Despite these concerns, and the findings that internal threats are more common than external, the top security projects slated for 2001-2002 involve strengthening the network perimeter to prevent external attacks, ensuring the security and availability of Web sites and adding security for messaging and remote workers, the study found.
Those projects may not be easily attained, however, as survey respondents reported a number of obstacles to providing better security. Chief among those obstacles are budgetary concerns. Fifty-four per cent of those surveyed expect their security budgets to increase in 2001-2002, the same per centage that felt that way in 2000-2001. Twenty-nine per cent, however, said that their budgets for 2001 have been frozen due to the economy.
Other barriers to good security include a lack of employee or end-user training, a lack of support from management and the inability to find competent computer security staff, the study found.