IT managers neglect network security, choosing instead to point the finger at end users who are repeatedly blamed for virus outbreaks within organisations, according to a recent study.
Complacency by IT managers is the biggest security risk to corporate networks, security vendor McAfee has warned. The vendor recently conducted a study of IT managers in the UK, which found 82 per cent of respondents had suffered a virus attack in the past 12 months and 34 per cent had experienced virus-induced downtime. Yet, 92 per cent of respondents said they had sufficient resources to manage security in-house.
These figures, analysts said, are reflected in Australia.
McAfee believes a recent drop in serious virus outbreaks has caused the security issue to drop off the IT managers 'to do' list as businesses become complacent about the security measures they have in place.
Most IT managers laid the blame squarely on end users, with 40 per cent blaming end user irresponsibility for virus attacks and 28 per cent putting it down to users not updating antivirus software.
Allan Bell, Asia-Pacific senior marketing manager at McAfee parent Network Associates, said survey results reflect local trends and also a worrying lack of acknowledgment by IT managers about where the core of the problem lies.
"The irony is some IT managers think they've got enough resources. The actual result is that they don't revise security. It's a question of what they have and what they think they have," Bell said. He said that, of the total cost of antivirus protection software accounted for 20 per cent while 80 per cent is the ancillary cost associated with managing the software.
"Most companies focus on the cost of the software, rather than the total cost of ownership. It's a matter of ROI. Spending a bit more on security outsourcing may in the end save you more money than managing it yourself," he said.
The Australian market is reactive to high-profile security breaches, according to local IDC analyst Natasha David.
"The top drivers for upgrades to security have been brought about by a breach of someone else's site, or to a company's own network," she said.
David added recent surveys indicate a turnaround in companies that are now more proactively about security as part of their overall infrastructure spend. However, "there is still a fair amount of complacency".
"When there is a major breach, companies will then look at buying tools to make sure it doesn't happen again. This has been the key selling strategy for security vendors.
She dubbed it the 'FUD' (fear, uncertainty and doubt) sell.
A systems administrator for a national telecommunications company, who requested anonymity, agreed IT managers in Australia are no better prepared than their UK counterparts. The administrator said IT security is a "difficult business" and "lacks teeth and focus" at the telco he works for.
"The network is so large that there is very little, read no, attempt at proactive security. Initially things are put in with a reasonable amount of security intended but there is no successful attempt to revisit security installations, patch and monitor logs because of the size of the task and the impact to production networks. Add cost and organisational willpower as well.
"I strongly suspect hackers could take out key portions of our national infrastructure," he added.