Symantec: Online Security Concerns Growing in the Workplace
In the world of IT security, it's a well-known secret that end users in Windows
processing environments put themselves at risk whenever they check their MySpace
and Facebook pages, or shop for plane tickets, computers and other goods and
services -- all while at the workplace.
Now, a pair of reports from Symantec Security Response -- including the 13th
annual "Global Internet Security Threat Report" (available as a PDF
released on Tuesday -- reveal that such actions may imperil some enterprise
environments, especially given the rise of browser-based hacking and concerns
about security in the Web 2.0 era.
Symantec culled its findings from several sources, including data gathered
from network-monitoring software in the hundreds of countries where the security
software consultancy does business. Symantec also relied on research gleaned
from third-party sources, such as other security firms, exploit research sites
and its own security-monitoring blogs. The report covers statistics gathered
for the period between July and December of 2007.
"What we find increasingly is that these attacks, using the Internet as
a vector, leverage three things: a mature underground economy for hackers, client-side
attack toolkits such as bots, and the wildcard: human behavior in the workforce,"
said Ben Greenbaum, senior research manager for Symantec Security Response.
"And it's unfortunate but true that there is no security patch to block
the vulnerabilities of social engineering."
Among the key findings in Symantec's "Global Internet Security Threat
Report" are some staggering numbers, including the 711,912 new threats
discovered in 2007, compared to just 125,243 in 2006. That's an increase of
The report also highlighted several enterprise system weakness trends that are germane to IT pros looking to balance the new work/life spillover in their
IT administration space. According to the report, 58 percent of respondent-documented
vulnerabilities in the third and fourth quarters of last year affected Web-based
software or applications. Of those vulnerabilities, 72 percent were deemed "easily
The report also found from its respondents that between Apple, Sun Microsystems
and Microsoft, it was Redmond that had the shortest security patch research
and turnaround time with a six-day flip. On the other hand, Sun's average patch
development lead period last year was 157 days.
Here's another development from the report that may foster immediate concern
in some IT shops: Of all the patches rolled out by Sun, Microsoft and Hewlett-Packard
that were deemed either medium or critical (high-severity), more than 50 percent
were intended to fix either Web browser or client-side vulnerabilities in the
OS and related applications, or both.
Tuesday's report comes on the heels of a related
study conducted by Symantec last month that explores IT risk management
and its relationship to the "millennial" or post-mainframe workforce.
Symantec worked with Applied Research-West to measure IT risk issues surrounding
the emerging millennial workforce within companies in the United States. The study took
responses from 600 people, who were split into three groups of 200. The groups
comprised IT executives, rank-in-file "millennial" end users
born after 1980, and members of what Symantec deemed the "older" workforce
(born before 1980).
Here are a few of those findings:
- More younger workers of the millennial ilk (66 percent) tend to access Web
2.0 applications, download file-sharing software and use interactive Internet
features much more frequently than their older counterparts (13 percent).
The latter are probably more busy, experts say, because they tend to be in
managerial positions. This probably accounts for the large percentage of users
on Facebook and MySpace during office hours.
- Younger workers also tend to take their work home with them on mobile devices
such as smart phones and BlackBerrys, storing backup files or even live workflow
files on home computers, personal laptops and home servers.
- Another important point that came out of this report is that 89 percent
of the IT managers surveyed conceded that enterprise risk in the IT space has
increased over the last five years, and almost half of those mangers think
younger workers have something to do with that risk, posing a "significant
new challenge" in the workplace, according to Symantec.
Speaking on the phone from the RSA
Conference in San Francisco -- where many security pros and analysts are
in attendance this week -- Andrew Storms opined: "What we take away from
these studies and the recent trusted Web site hacks is that this can be applied
to Web 2.0 or anything that is Internet-based."
Storms is the director of IT security operations at San Francisco-based nCircle
Network Security. He added that these open secrets now have their basis in usable
data for tech managers to take to their companies' finance departments, where
they should make their concerns heard as a safeguard against hacks and disappointing
IT controls audit results.
"It's different when you have only colloquial evidence but you're seeing
with recent events and reports such as these that it's spelled out in plain
English with accompanying numbers," Storms said.
Kurt Mackie is online news editor, Enterprise Group, at 1105 Media Inc.