More than half of the IT administrators surveyed said they had seen more data security incidents in the past year, according to McAfee’s third annual Security Paradox report. The report this year was conducted by Bloor Research on behalf of McAfee.
There are a number of reasons for the jump in security incidents at mid-size companies, according to Nigel Stanley, head of the security practice at Bloor Research. He told Infosecurity that an important factor is that larger organizations are tightening their information security environments.
“The hackers are now targeting mid-sized organizations. Large enterprises generally have pretty good security. Hackers are not going to go after a big bank; they are going to go after mid-sized organizations because they are softer targets….This is a legitimate concern for anyone in a mid-sized organization to have to deal with this increasing threat”, Stanley said.
In addition, the sheer volume of mobile devices has increased, which provides more opportunities for data breaches. “We’ve got more mobile devices and we’ve got Web 2.0 applications. We’ve got data residing on a device in someone’s pocket. Obviously that device is liable to be attacked. We’ve seen an increase in attacks targeted at mobile devices”, he said.
Stanley observed that there has been the “consumerization of IT” over the past few years. “There is a real trend of people buying their own IT devices and then going to the IT people in a mid-size organization and saying, ‘I have this device, make it work for me.’ This creates an enormous amount of stress and pressure because the IT people try to accommodate these devices, and the end result is often a security breach.”
Cari Jaquet, director of global marketing at McAfee, stressed that often the loss of data is inadvertent. There are many mid-sized companies in which employees use their own devices for company work and plug into the company network with those devices. For example, a company might not be able to afford to buy iPads for its employees. But one or two employees might buy one on their own and want to use it at work.
“They are not going to have the same level of control and the same encryption….Mid-sized companies used to think, ‘Who would want my data?’ Now, their data is even more valuable and easier to get to”, she said.
Jaquet noted that 85% of IT administrators at mid-sized organizations said they were concerned or very concerned about inadvertent security incidents.
The survey found that 35% of mid-sized organizations had to manage multiple network security incidents, of which 55% took up to five hours at a cost of $1000 per hour to investigate and remediate. In fact, a number of mid-sized organizations reported that they had suffered a data loss that had cost them more than $25 000. “The costs of data breaches are pretty significant for mid-sized companies”, Jaquet said.
In addition, the survey found that 40% of those surveyed reported data breaches during the past year; 75% believe a serious data breach could put them out of business; 83% said they were concerned or very concerned that their business could be the target of a malicious security attack; 51% had been attacked; and 16% of those who were attacked took more than a week to recover. Data loss was the number one consequence of the attack.