Research Report: The State of IT Security

Last year was an abyss for IT security pros, according to 232 ITPro Today readers who responded to a recent survey regarding IT security (download the report below). Battered by ransomware and a stunning variety of well-crafted other attacks, survey respondents expressed fears about the challenges ahead as well as hopes for a better-armed IT security future. Those fears and hopes rest upon, to a large degree, what IT pros see as the weakest (and potentially strongest) link in the security chain: the end user. It’s the end user that IT security pros want to focus their attention on; indeed, at the top of the 2019 wish list was a “more security-aware organizational culture where end users take ownership.”

End-user weakness is particularly dangerous to companies now, with ransomware, which ranks as the leading cause of successful attacks in our survey, reaching companies of all sizes. In response, there’s been a revolution in patching/fixing/updating infrastructure. But much damage has been done: Ransomware using broadly cast malware such as WannaCry infected over a quarter of a million machines worldwide, and the number of platform-targeted (database, web hosting, SCADA platform) malware types rose. This in turn has led to products and practices aimed at prevention, identity control and encryption.

Despite the difficult climate for IT security, our research suggests that IT professionals are in fact rather optimistic – or at least more optimistic than the channel companies that work closely with them. Comparing our survey with a similar one we fielded among IT channel respondents, we found distinctly different takes on how companies’ vulnerability postures have changed over the past year, as well as in the prevalence of breaches. In general, the IT respondents were more optimistic on both counts. We drill into some of the reasons for the differences in attitudes below.

For this report, we analyzed the data from the overall respondent base and compared responses from those at small companies (which we defined as those with fewer than 1,000 employees) with those at large companies (which we defined as those with 1,000 or more employees). There were sometimes wide variations in how the two groups approach security problems and tools, as well as in their demographics and outlooks. Respondents from large organizations reported use of a wider variety of tools, but they also felt they were the target of more sophisticated threats. The complex threats, which included invasive malware, terabytes of data exfiltration schemes and ransomware variants, represent big asset damage.

For more detail on these findings, download our free 33-page report.