American companies can expect an online security breach about once every four years, but many organizations appear unprepared. That’s a key takeaway from a IDG's new report on Website security.
The report, "Website Security in Corporate America", was conducted by IDG’s Connect division on behalf of Symantec, the security firm. It found that 74% of respondents thought the websites they managed were “totally secure” or “very secure.” Nearly 40% thought it was unlikely their corporate sites are vulnerable to cross-site scripting, even though Symantec has identified that technique as the top website-based threat to corporate websites.
One-Third Never Assess Security Threats
In asking managers about what kinds of security attacks had been the most successful, cross-site scripting was the culprit in more breaches that resulted in a major impact, followed by information leakage. The study also found that nearly 60% of those interviewed did not know if their sites were vulnerable to brute force attacks, and 37% said the same about cross-site request forgery.
One-third of those surveyed, including organizations of every size, said they never conduct vulnerability scans or assessments of their websites. Many were consumer-facing sites, resulting in “a high stakes game of risk that threatens reputations and revenues right across the economy.”
Large organizations, with more than 5,000 employees, showed the most confidence. Among those large enterprises, 83% of IT professionals said their sites were “totally” or “very” secure, and, for mid-sized organizations with 1000 to 5000 workers, that number was 72 percent. Sixty-five percent of small organizations felt similarly.
In general however, technically-oriented IT managers were somewhat less confident of their site’s security than more general IT managers, as were small- to mid-sized organizations compared to large ones.
How Assessments Conducted
There was also some correlation overall between IT managers whose sites have never been assessed for security issues, and a lack of confidence in how secure those sites were. The report pointed out that this made sense, although it noted that, for mid-sized companies in particular, 72% of surveyed IT managers described their sites as “very” or “totally” secure, even though only a very small minority – 13% – repeated vulnerability tests monthly. “Their confidence,” the report said, “may well be misplaced.”
Among small organizations, those numbers are 65% and 26%, and for large organizations, 83% and 38%, respectively. IDG Connect attributed this discrepancy between confidence and regular testing to what it described as “a vulnerability knowledge gap.”
From the report, "Website Security in Corporate America"
Another factor in determining IT managers’ level of confidence is how security assessments are conducted. Those who used automated remote scans expressed the greatest levels of confidence, with 42% characterizing their sites as “very secure” and half choosing “totally secure.”
Assessment Kind Vs. Organizational Size
Those who used internal assessments were somewhat less confident, with just 23% selecting “totally secure,” while only 17% of managers using third-party assessment felt that way.
The kind of assessment related to the organizational size. Sixty-five percent of large organizations preferred internal assessment, 31% chose automated remote scanning, and only 23% used third-party assessment. For mid-sized organizations, nearly half picked internal assessment, 38% used third-party, and only 5% chose automated scanning. Among small organizations, 40% opted for internal, 45% for third-party and just 15% for automated remote.
The report looked at whether the frequency of the assessments was also a factor, and determined it was not. “Whichever way you cut the data,” the report noted, “automated scanning seems to be associated with higher levels of confidence.”
IDG noted that organizations that are less than diligent and knowledgeable about security risks are engaged in “significant risk taking,” since one in five companies experience a security breach every year. Of those, 15% said the impact was “major.”