Our InformationWeek Strategic Security Survey, now in its 15th year, is a great trend spotter--when we see a double-digit, year-over-year percentage-point shift, we take notice. For example, based on 946 responses, only 15% feel they're more vulnerable than a year ago, which is the same percentage as in 2011. However, among those feeling more vulnerable, the percentage of IT pros worried that there are more ways to attack their networks plunged, from 76% to 62%. The concern that's on the rise is the growing amount of customer data to secure: up to 44% from 34% a year ago.
IT's also paying closer attention to the security of public cloud service providers. Last year, just 18% conducted their own audits; now it's up to 29%. Use of providers' own audit reports is also up. To the 9% who want to conduct risk assessments but are stymied by uncooperative vendors, we say consider that resistance a big red warning flag.
One area where we saw surprisingly little movement is mobile security: 25% say smartphones and tablets represent a significant threat, up just a tick from 24%. Loss or theft is IT's greatest concern, and for good reason, since end users are more likely to leave a tablet in a cab than they are to download a malicious app. That's why mobile device management software that can remotely wipe data, protecting the organization from a potentially messy information leak, is so critical.
Another constant among our respondents is perceived cloud risks. Top worries include leaks of customer data and security defects in the providers' systems, unchanged from last year.
Cloud and mobility may be hot-button issues, but our report goes deeper. Consider a secure software development life cycle (SDLC) process. We recommend investing in a process to ensure that your software isn't laden with flaws that attackers can exploit, yet just one-third of respondents have formal programs in place. That's one trend line that we hope angles up for 2013, aided by the fact that among respondents whose shops do use secure SDLCs, 33% rate them very effective.
This year's survey also delves into why you should pay more attention to access control, the importance of user education, the benefits of collecting and analyzing security metrics, and the pros and cons of cyberbreach insurance.
About 20% of respondents have taken out breach insurance policies, but that may not be money well spent. It's difficult to accurately estimate the costs of a breach, including cleanup and remediation, so your policy may not cover the true extent of damages. If you really want insurance, spend some of that cash on an SDLC and sound risk management practices and leave the actuarial tables to hurricanes and car crashes.