-
Cloud Security in the Post Pandemic World: Securing the Extended Enterprise
The Post-COVID enterprise data management strategies must include a Cloud-centric security envelope that spans across extended work environment in this growing hybrid/multi-cloud world. Securing your Data in this Extended Enterprise is now one of the most critical priorities.
August, 2020
-
IT Security Policies Adoption and Best Practices
Nearly every IT organization has security policies to some extent, but there is often much room for improvement. The fact that so many companies have IT security policies that are not formally established, comprehensive in their scope, or followed consistently is part of the reason that we continue to see little progress against high-profile cyberattacks. In this report, we look at adoption trends and maturity of IT security policies by organization size and sector. We conclude with practical recommendations for IT organizations interested improving their IT security policies. (17 pp., 6 figs.) [Research Byte]
October, 2018
-
Too Many Companies Neglect Security Incident Management
Cyberattacks have become a fact of life, and organizations are committing more resources to incident response. But too often, organizations confuse security incident response and incident management. While security incident response is a technical discipline, security incident management is a more formal process for monitoring, detecting, tracking, and responding to such incidents.
May, 2017
-
Security Incident Management Adoption Trends
Computer Economics research shows that security incident management as a best practice is only moderately mature. Despite the escalation in threat levels over the past few years, many companies are choosing to operate with informal management of security incidents. In this study, we introduce this best practice and look at adoption trends by organization size and sector. We also introduce some providers of security incident management systems and services. (14 pp., 5 fig.) [Research Byte]
May, 2017
-
Enterprise SaaS Providers Step Up Security Measures
The massive Distributed Denial of Service (DDoS) attack on Oct. 21 has some nervous cloud computing customers worried about the changing threat landscape and asking questions of their enterprise software-as-a-service (SaaS) providers. In this Research Byte, we review some of the stepped-up security measures of some enterprise SaaS providers.
November, 2016
-
Security Incident Management Adoption Trends 2015
Computer Economics research shows adoption of security incident management is only moderately mature, despite the apparent escalation in threat levels over the past year, and that there is plenty of room for broader and deeper adoption of this IT management best practice. This is a practice that every IT organization should embrace with some level of rigor. In this study, we introduce the best practices and take a look at adoption trends for security incident management by organization size and sector. We also introduce some of providers of security incident management systems and services. (14 pp., 5 figs.) [Research Byte]
March, 2015
-
Malicious Insider Threats
This special report, based on our survey of IT security professionals and executives worldwide, analyzes malicious insider threats to businesses. Basic categories of malicious threats include accessing confidential information without authorization, disclosing confidential information, executing fraudulent transactions, and sabotage of the organization’s systems, network, or data. For each of these four categories of threat, we present data concerning the perceived seriousness of the threat and actual incidents and risks of each type. We then analyze the popularity of various methods for preventing, countering, and detecting incidents of malicious insider activity. (47 pp., 27 figs.) [Extended Description] [Research Byte]
May, 2010
-
Insider Misuse of Computing Resources
This special report, based on our survey of IT security professionals and executives worldwide, analyzes the threat of insider misuse of computing resources--that is, any violation of an organization's policies regarding acceptable use. Examples include unauthorized file copying; downloading of software, music, or other media; P2P file-sharing; rogue remote access programs, modems, and wireless access points; misuse of business or personal email; instant messaging; blogging and posting to message boards; and personal web surfing. For each of these types of insider misuse, we present data concerning the perceived seriousness of the threat, typical organizational policies or lack thereof, frequency of violations against company policy, analysis of preventive and detective actions taken by organizations to deter the misuse, and typical levels of enforcement. (77 pp., 75 figs.) [Extended Description] [Executive Summary]
March, 2009
-
Moving Security Beyond Regulatory Compliance
Organizations today must comply with a greater number of regulations than ever before, many of which deal with information and system security. While the intent of these regulations is good, their proliferation is burdensome. Even more troubling, it is possible to be compliant but not secure. Based on our survey of 100 security, IT, and compliance professionals, this article proposes four principles for establishing a security program that goes beyond regulatory compliance. (5 pp., 6 figs.) [Executive Summary]
October, 2007
-
Making Security an Integral Part of Project Management
Vulnerabilities are often introduced into an organization when changes are made to its technology, business processes, or facilities. Therefore, security should be an important element of project management, to ensure that the security implications of these changes are addressed. However, a survey by Computer Economics suggests that executives have not adequately integrated their security and project management functions. This article presents the results of our survey on the role of security in project management. Additionally, we review the positive impact that security can have on project management practices. (5 pp., 9 figs.) [Executive Summary]
August, 2007
-
2007 Malware Report: The Economic Impact of Viruses, Spyware, Adware, Botnets, and Other Malicious Code
Malware continues to be a major security threat, but obtaining a quantitative risk assessment is a difficult exercise. This special report, based on our survey of IT security professionals and managers, reports on the overall change in the malware threat level by type. Malware types include destructive viruses, spyware, adware, botnet code, and hacker tools. For each malware type, the report provides statistics for remediation cost, user hours lost, system downtime, and total dollar damages. It then summarizes the annual damages by organization size, and estimates the total economic impact of malware by year for the period of 1997-2006. Analysis of the top ten malware entities in 2006 is also provided. This report is an unbiased source for estimating malware damages and analyzing the cost-benefit of anti-malware investments. (51 pp., 36 figs.)[Extended Description]
June, 2007
-
Trends in IT Security Threats: 2007
This special study, based on a survey of over 100 IT security professionals and managers, analyzes current trends in IT security threats and changes in threat levels over the past year. Categories analyzed include malware, phishing, pharming, spam, denial-of-service (DoS), unauthorized access by outsiders and insiders, vandalism and sabotage, extortion, fraudulent transactions, physical loss of computing devices or storage, and insider misuse. Additional statistics are provided on the number of incidents in each category reported by survey participants. This assessment includes analysis of differences between the perceptions of IT security professionals versus the potential impact of cyber-crime in each category. (40 pp., 30 figs.)[Executive Summary]
April, 2007
-
The 2006 IT Security Study
This study, based on a survey of North American IT security managers, analyzes information security spending, staffing, incidents, the rate of technology adoption, and the deployment of security best practices for large, medium, and small organizations. This year's study found that large firms lag behind mid-size organizations in IT security spending, staffing, technology, and management best practices. It also found that many companies of all sizes fail to implement a number of basic security management best practices. Yet, in spite of these deficiencies, most companies are not authorizing more money for IT security. (186 pp., 150 figs.)[More about the study, and special pricing per chapter]
March, 2006
-
IT Security: Large Firms Lag Behind
By nearly every measure, large firms lag behind mid-size organizations in IT security spending, staffing, technology, and management best practices. This Research Byte is a press release for the our 2006 IT Security Study: The Current State of IT Security Budgets, Management Practices, and Security Incidents, highlighting this and some other key findings of the report.
February, 2006
-
IT Security Spending Holds Strong and Steady
Focus on IT security continues to be a major issue for most organizations. Data from our most recent IS spending study confirms that spending on IT security remains strong in this era of cautious IT budget growth.
November, 2005