Just as interesting, however, was what respondents were not particularly concerned about: unauthorised access by outsiders, electronic fraud, electronic vandalism and sabotage and extortion by electronic means were not considered particularly serious threats.
"Yes, we were surprised by that," said Computer Economics president Frank Scavo, the author of the report. "One of the things I realised in looking at the data is that IT security professionals are no different than anyone else."
"They assess risk in terms of what they've experienced in the recent past," he said. "So, if they haven't had exposure to a specific threat, they may not assess the risk as being that great. Yet, if they experience such an attack, the results can be devastating."
Electronic fraud, which ranked sixth on the threat list, is a case in point, he said: "Why it's not ranked higher may be because high-risk organisations such as banks and financial services companies feel their countermeasures are adequate - they're already good at managing fraudulent transactions, such as credit card transactions. Companies that don’t do business electronically, without exposure, weren’t concerned."
Electronic extortion offers another example, said Scavo. "The risk of a hacker gaining access to their systems and threatening to take them down unless some payment is made is low because the frequency of such events is very rare," he said. "Our survey found only a few respondents who reported any extortion attempts in the past year. That doesn't mean it's not a threat."
Other notable findings from the Computer Economics report:
- A majority of respondents said that threats from spam are increasing. The report attributed this to spam's prevalence, the highly visible nature of spam to everyone in an organisation, including executives, and the fact that spam is a vector for other types of attacks.
- Advances in technology to stop viruses, worms, trojans, adware and spyware notwithstanding, malware ranks high on the list of enterprise security pros’ concerns. There is significant variation among organisations in terms of the frequency of malicious code attacks, most likely due to discrepancies in how well organisations defend against such security events.
The rankings, in order:
1. Insider threats (unauthorised access to data or resources by insiders and violation of the organization's policies regarding acceptable use of computing/network resources)
3. Malware (computer viruses, worms, trojans, adware and spyware)
4. Unauthorised access by outsiders
5. Threat of physical loss or theft of computer hardware and storage resources
6. Electronic fraud
7. Pharming attacks
8. Phishing attacks
9. Electronic vandalism/sabotage
10. DoS attacks
11. Extortion by electronic means
The survey of 100 IT security and risk management professionals in mostly large (1,000-plus-employee) organisations, was conducted in the fourth quarter of 2006.