Everyday malware, spyware still a top concern of IT administrators

Over half of IT personnel view everyday threats from malware and spyware as their number one security concern, not headline-grabbing attacks like Stuxnet, Night Dragon, and Operation Aurora, according to a survey by vulnerability management provider eEye Digital Security.

Also, close to half of respondents indicated that a top security concern was a lack of human, hardware, and software resources, according to a survey of more than 1,600 IT administrators, managers and C-level executives from enterprises across multiple industries and government organizations.

“More than half of them are worried about the day-to-day malware and spyware….They cost organizations not only money but time in having to constantly remediate and clean up systems”, said Marc Maiffret, eEye chief technology officer.

“I think it’s interesting that as an industry we are still trying to get our hands around everyday malware without even worrying about the targeted attacks”, Maiffret told Infosecurity.

A full 42% of respondents said lack of security resources is leading to improper configuration and an inability to protect against zero-day vulnerabilities.

“Close to half the folks are saying that one of their biggest concerns is a lack of technological and human resources, especially on the human side. People are trying to do a lot more with less”, Maiffret said.

If given a 20% increase in their IT security budget, 60% of respondents said they would put the extra money towards configuration compliance, security reporting, and dashboards and patch management, and 39% would put money toward regulatory compliance reporting.

“The number one thing that people would spend money on was having better security reporting and dashboarding and visualization technologies….They have a lot of technologies – anti-virus, firewalls, vulnerability assessment – and they are trying to understand, ‘I have thousands of things I could be worrying about, but what should I be worrying about?’ There was this general feeling that they need better visibility into what they should care about”, Maiffret said.

At the same time, 60% of respondents said that did not expect to receive an increase in their security budget, Maiffret noted. In fact, 20% of respondents experienced a decline in their security budget, he added.

“Unless you are in a Fortune 500 company that has dedicated security staff, it is very hard for the average business that typically has only two people who are IT folks who also have to do security and don’t have time to become experts. I think that is part of the reason you see that companies are struggling most, not with targeted or zero-day attacks, but with the everyday malware and spyware”, he concluded.