A third of companies admit they have not invested in security for their virtual computing environments, a survey has revealed.
This means many businesses are opening themselves up to the possibility of a serious and costly data breach, according to security firm Kaspersky Lab, which commissioned the study.
The study, conducted globally among businesses with 100 or more IT workstations, also found 42% of companies believe their virtual servers are more secure than physical ones, despite the fact that one in three of those surveyed admitted their knowledge of virtualisation was 'basic'.
"There is a common perception that virtual machines are more secure than physical ones, but this is little more than a myth. In fact, virtual systems are just as vulnerable to malware in the form of malicious e-mail attachments, drive-by-downloads, botnet Trojans and even targeted 'spear-fishing' attacks," said Peter Beardmore, senior director of products and services at Kaspersky Lab.
Despite limited knowledge of virtualisation, the study found 81% of services launched in virtual environments are business critical.
Around half of those running applications on virtual services admitted they did not have a full understanding of virtualisation and securing that environment.
These facts combined point towards a worrying lack of knowledge among IT professionals, which may be putting the benefits of virtualisation at risk, he said.
"There is no doubt that the business benefits of virtualisation are huge – both in terms of cost and accessibility. But underestimating the security risks puts businesses of all sizes in a perilous position," said Beardmore.
The lack of knowledge shown by IT professionals is mainly to blame, he said, so businesses need to invest in understanding the concept of virtualisation.
Another common problem is that the business is so focused on performance and cost, security is often overlooked or tagged on only at the end, said Andrew Lintell, director for corporate sales, Kaspersky Lab.
According to Forrester security and risk analyst Andrew Rose, many IT professionals think a virtual server is just the same as a physical one. "But they are not. The risks are different," he said.
Beardmore said basic knowledge is simply not sufficient when the security of a business is at stake.
"The industry needs to wake up to this situation and invest in adequate security solutions alongside a comprehensive education programme," he said.
To help companies get the productivity and efficiency benefits of virtual IT without security risk, Kaspersky Lab has developed a virtualisation product that integrates with its corporate security suite.
Beardmore said Kaspersky Lab believes it important to get visibility of both physical and virtual machines on a single screen and be able to report it all together.
It is also important that both physical assets are managed by a system that is able to enforce appropriate security policies without too much overhead.
Virtualisation can help improve security, he said, but only if companies invest in the security controls and management systems to keep track of VMs and enforce security policies.
Beardmore said organisations need to get up to speed on what types of security controls are available and what would be best for their particular situation.
No two virtual environments are the same; for some an agent-based security monitoring system will work fine, for some an agentless approach may be better, while others will require a hybrid approach.
