Embedded within a new research study published today by Austin, Texas-based software maker SolarWinds Worldwide LLC is both good news and bad news about the state of IT security today. And the good news, essentially, is that there’s finally more than bad news to report.
Despite the ever-increasing volume and sophistication of security threats, 40 percent of respondents to the new study said their organization is somewhat less vulnerable to attack this year than last, and another 10 percent said they’re much less vulnerable.
The study surveyed 221 IT professionals, managers, directors, and executives at North American SMBs and enterprises.
“Typically when we talk about security news and security surveys there’s a lot of bad news,” says Mav Turner, director of business strategy for security at SolarWinds, which makes both security software and IT management systems. That there’s finally encouraging data to report “was something we felt was really great,” he adds.
Also striking, Turner notes, is how quickly study participants said they detect security incidents. Fully 63 percent, for example, said their company typically identifies the presence of malware on their network within minutes, while 59 percent and 48 percent said they spot phishing attacks and cross-site scripting assaults respectively just as rapidly.
“It was pretty surprising how quickly people could identify those attacks,” Turner says.
On the other hand, he continues, the new research also underscores just how treacherous the security landscape remains. Fully 22 percent of surveyed companies experienced a data breach in 2015, and an additional seven percent suffered more than one.
“There’s still a lot of work to be done,” Turner observes.
Nonetheless, the survey results offer evidence of progress against security risks. Research participants credit several factors for that trend, including increased adoption of intrusion detection and prevention systems and patch management software, both of which were cited by 32 percent of respondents, and expanded use of data encryption, cited by 27 percent.
According to Turner, however, the research also suggests that the combined effect such solutions have when used together, rather than any one technology, is most responsible for the security improvements survey respondents reported.
“There was a high correlation between the number of tools that they had deployed and the increase in their security,” he says.
Better and increased training also figured among the top five explanations offered by study participants for their reduced vulnerability.
“Training will always be on the top list of things that have a direct impact,” Turner notes. “The better you can train [employees] to be prepared, the more effective your security posture is.”
Turner believes two larger phenomena not specifically addressed by the new study have also played a role in buttressing security readiness lately. First, security solutions have become easier to afford, deploy, and use. Second, businesses are spending more on security than before, chiefly because business owners and corporate boards no longer need to be convinced that cybercrime is a serious threat.
“That’s a result of a lot of the media attention these breaches have gotten over the last few years,” Turner says.
Companies that don’t feel safer this year than last should use today’s study to isolate and then close the gaps between their own security practices and those of leading-edge companies, Turner continues. The new research study makes clear that doing so can result in meaningful improvements.
“It’s possible to make progress,” Turner says.