More than two-fifths of companies worldwide have failed to prepare for cyber threats, a survey from security company Kaspersky Lab has revealed.
Some 41% of more than 3,300 IT professionals polled in 22 countries – including 200 in the UK – said their corporate infrastructure lacked the necessary protection to handle online attacks.
Nearly half of respondents said their companies were insufficiently protected against the theft of intellectual property and 51% were sure their system protection infrastructure would be powerless in the face of a serious attempt at industrial espionage.
Over the past year, several targeted cyber attacks have led IT specialists to start taking the issue seriously. The survey showed 11% of respondents believe the threat will be their main concern in the future. One third of specialists are sure their companies will be attacked.
Many IT professionals blamed budget constraints, a lack of understanding among senior managers about their department's objectives and goals and an insufficient number of trained personnel.
Read more from the research archive about preparing against cyber threats E-Guide: Identifying and addressing evolving threats Technical guide to emerging threats Ten ways to dodge cyber bullets Anatomy of a cyber attack Cyber crime battle basics: Online account, transaction and device protection Cyber risk perceptions: An industry snapshot The cyber-savvy CEO: Getting to grips with today's growing cyber-threats
Kaspersky Lab said employee awareness is a crucial factor in the battle against modern malware and its potential consequences. But 31% of respondents said they were not fully aware of the latest Trojans, nor of the means used to conduct targeted attacks on companies.
Only 27% of business representatives had heard about Stuxnet. Even fewer (13%) knew about the Trojan Duqu, designed for the targeted collection of confidential data.
Kaspersky Lab said knowledge among IT professionals about modern threats is as vital as training employees in the rules of computer security.
Deploying systematic security policies and ensuring compliance also helps to protect businesses against the careless activities of employees, Kaspersky Lab said.
Mobile devices at risk
The part of the survey that dealt with security policies for mobile devices showed one-third of companies allow their employees to use them with full access to the corporate network and its resources.
"By doing so, they are creating a gaping hole in their security," the Kaspersky's report said.
When it comes to corporate security policies for personal devices, the findings are not very encouraging either, the Kaspersky report said. Only 9% plan to introduce tough restrictions for personal devices.
Based on the findings of the survey, the research report recommends four areas of action:
Data encryption. As confidential data leaks are one of the biggest challenges facing all companies, Kaspersky Lab recommends the partial or complete encryption of data as an additional layer of security.
Even if a device ends up in the wrong hands or a malware attack is successful, a cyber criminal that gains access to files that have been encrypted will not be able to see their contents. Paying particular attention to personal devices. Many employees at both large and small companies use personal devices, usually mobile, to connect to the corporate network and work with confidential information. Sometimes these devices are not sufficiently protected which can lead to data loss.
Companies need to implement a security policy that covers the use of both personal and corporate mobile devices for work-related tasks, said Kaspersky. Be prepared for targeted attacks. Although targeted attacks are not as common a threat as worms and Trojans, in the future the number of attacks targeting the infrastructure of specific companies will grow. One-third of those surveyed believe that their company will eventually be attacked with highly unpredictable consequences.
Kaspersky Lab recommends putting measures into place now for combating targeted attacks, in particular paying more attention to proactive protection methods designed to prevent threats rather than dealing with the consequences. Educating staff. The survey showed a significant number of key specialists didn't know anything about the cyber threats they are expected to combat. This is compounded by a low level of computer literacy among employees which can lead to a company's IT infrastructure being infected or confidential information being leaked.
Teaching company personnel all the basics of IT security is no less important than installing the latest security software, said Kaspersky.