Low-Level Malware, Not APTs, Keeps Security Professionals Awake at Night

Security professionals are more concerned about common malware than “advanced persistent threats” carried out by sophisticated cyber-criminals or by rogue governments, a survey finds.

IT security professionals rated common, low-level malware as their top IT security concern, according to a recent research survey.

IT security professionals rated the lack of resources and the inability to deal with zero-day vulnerabilities as their top concerns in the latest survey from eEye Digital Security, released June 16. Most respondents feel high-profile malware such as Project Aurora and Stuxnet is either a small or very small threat to their organizations. Most also consider government-sponsored hacking as a low priority.

In a survey of more than 1,677 IT administrators, managers and C-level executives, nearly 55 percent said they consider mass malware and spyware a “very large” or “large” threat to the enterprise. That was in stark contrast to the 12 percent who said the same for Stuxnet and Operation Aurora, 11 percent for Night Dragon, and 23 percent for government- and state-sponsored attacks. Nearly 44 percent consider Stuxnet a “very small” threat, the survey found.

“While it is important to remain vigilant against attacks that wreak havoc and damage reputations, we must also remain focused on attacks that fly in under the radar” and happen every day, Marc Maiffret, CTO of eEye Digital Security, said.

About 47 percent of the respondents are concerned over a lack of staff or tech resources, while 41 percent said they are concerned about improper configuration. About 42 percent rated their inability to protect against zero-day vulnerabilities as a large or very large concern.

The “2011 Headlines vs Reality” survey “demonstrated that headline-driving attacks are not what keep IT security professionals or executives up at night,” according to eEye.

The survey found that security professionals want to make defense against stealthy, everyday attacks a priority, Maiffret said. “Although cutting-edge headlines and horror stories may rule the air, most security professionals remain focused on the basics,” said Maiffret.

If they suddenly had 20 percent more in their budgets, most respondents are interested in basic tools. About 65 percent said they would spend it on security reporting and dashboard technologies, 63 percent named patch management, and 60 percent named configuration compliance tools. A little over half, or 52 percent, said they would take the budget increase to hire more personnel.

About 61 percent said they would not spend it on more regulatory compliance reporting tools, and 49 percent said they would not invest in defenses against advanced persistent threats and other high-profile threats.

However, most respondents, or 57 percent, said they won’t be seeing any increases in their 2011 budgets, despite the supposed economic recovery. Only 21 percent expect an increase, and 22 percent actually reported a decline, according to the survey.

The survey included security professionals and executives from organizations of various sizes across all industries. Thirty percent of respondents came from organizations with 4,000 employees or more, and another 34 percent came from the true small to midsize businesses, with less than 99 employees. While 22 percent of the respondents came from high-tech, 35 percent came from industries other than high-tech, financial services, energy, retail, health care or the government sectors.