High profile cyber attacks, like hurricanes, have their own names and generate a lot of coverage on the cyber security beat. Threats like Stuxnet, Aurora, and Night Dragon have received a lot of attention of late, but of more immediate concern to most IT security professionals are the threats they don’t hear about in the news. A survey by BeyondTrust, a provider of IT security and unified vulnerability management solutions, reveals that the majority of IT professionals surveyed view common malware and spyware threats to their networks and IT assets as their number-one concern, not the headline-making attacks. This report analyzes the results of BeyondTrust’s “Headlines vs. Reality” survey of 1,677 respondents, including IT and IT security administrators and managers, and C-level executives from companies big and small in a number of industry verticals. The survey identifies what threats they’re most concerned about, where they believe their IT assets are vulnerable, and what security improvements they would make if they got a hypothetical 20 percent increase in their budgets. The survey reveals that those high-profile attacks, while significant, often are aimed at specific targets and are of little threat to the broader community. Stuxnet, for instance, was a computer worm discovered in July 2010, that did attack Microsoft Windows computers — a ubiquitous operating system, of course — but it was primarily aimed at disrupting the nuclear enrichment program of Iran. Sixty percent of the infected computers were in that country. Likewise, Operation Aurora in 2009 was a worm originating in China and targeting a number of high tech and defense contractor firms including Symantec, Adobe Systems, and Northrup Grumman. Its most high profile target was Google, which accused the perpetrators of hacking the Gmail accounts of Chinese dissidents. Aurora was a big story but it was still relatively limited. Lastly, Night Dragon was a cyber attack focused on companies in the oil, gas, and petrochemicals industries. If you were in any of those industries, that was a big threat, but if not, your attention was best directed elsewhere. Those named threats were of little concern to IT professionals in the BeyondTrust survey. Stuxnet was identified as a “large” or ”very large” threat to only 12 percent of respondents, Aurora by only 12 percent, and Night Dragon by only 10 percent. Instead, 55 percent of respondents identified common malware and spyware as a “large” or “very large” threat to their organization. The survey drilled further down into their top concerns (based on a select all that applies response):
  • 48 percent of respondents are concerned over a lack of human and technological resources to improve security.
  • 42 percent of respondents are worried about improper configurations that could leave them vulnerable.
  • 42 percent said they are worried over their inability to protect against Zero Day vulnerabilities, which are unidentified or unpatched threats
  • 41 percent said they are concerned over a lack of security insight into compliance issues and vulnerabilities and attacks. Organizations are usually subject to industry and government security requirements.