Low-Level Malware, Not APTs, Worry IT Professionals

Security professionals are more concerned about malware and spyware than “advanced persistent threats”

IT security professionals rated common, low-level malware as their top IT security concern, according to a recent research survey.

IT security professionals rated the lack of resources and the inability to deal with zero-day vulnerabilities as their top concerns in the latest survey from eEye Digital Security, released June 16. Most respondents feel high-profile malware such as Project Aurora and Stuxnet is either a small or very small threat to their organisations. Most also consider government-sponsored hacking as a low priority.

Malware And Spyware Most Feared

In a survey of more than 1,677 IT administrators, managers and C-level executives, nearly 55 percent said they consider malware and spyware a “very large” or “large” threat to the enterprise. That was in stark contrast to the 12 percent who said the same for Stuxnet and Operation Aurora, 11 percent for Night Dragon, and 23 percent for government- and state-sponsored attacks. Nearly 44 percent consider Stuxnet a “very small” threat, the survey found.

“While it is important to remain vigilant against attacks that wreak havoc and damage reputations, we must also remain focused on attacks that fly in under the radar” and happen every day, Marc Maiffret, CTO of eEye Digital Security, said.

About 47 percent of the respondents are concerned over a lack of staff or tech resources, while 41 percent said they are concerned about improper configuration. About 42 percent rated their inability to protect against zero-day vulnerabilities as a large or very large concern.

The “2011 Headlines vs Reality” survey “demonstrated that headline-driving attacks are not what keep IT security professionals or executives up at night,” according to eEye.

The survey found that security professionals want to make defence against stealthy, everyday attacks a priority. “Although cutting-edge headlines and horror stories may rule the air, most security professionals remain focused on the basics,” said Maiffret.

Tools And Patch Management

If they suddenly had 20 percent more in their budgets, most respondents are interested in basic tools. About 65 percent said they would spend it on security reporting and dashboard technologies, 63 percent named patch management, and 60 percent named configuration compliance tools. A little over half, or 52 percent, said they would take the budget increase to hire more personnel.

About 61 percent said they would not spend it on more regulatory compliance reporting tools, and 49 percent said they would not invest in defences against advanced persistent threats and other high-profile threats.

However, most respondents, or 57 percent, said they won’t be seeing any increases in their 2011 budgets, despite the supposed economic recovery. Only 21 percent expect an increase and 22 percent actually reported a decline, according to the survey.

The survey included security professionals and executives from organisations of various sizes across all industries. Thirty percent of respondents came from organisations with 4,000 employees or more, and another 34 percent came from the true small to midsize businesses, with less than 99 employees. While 22 percent of the respondents came from high-tech, 35 percent came from industries other than high-tech, financial services, energy, retail, health care or the government sectors.