Online attackers are finding that the best way to hit a company is through mobile devices used by their growing remote workforces. That's because many enterprises aren't requiring that laptops and other devices undergo adequate security checks before accessing the corporate network.
U.K.-based research firm Dynamic Markets Ltd. reached that conclusion after surveying 500 enterprise IT managers across the U.S., U.K., Germany and France last November on behalf of South Jordan, Utah-based LANDesk Software Inc., a vendor of configuration and security management products.
"What surprised me about the results was the number of respondents whose companies are still affected by viruses and worms that can be stopped by basic security procedures," said Kevin Auger, security solutions manager for LANDesk. "This, despite all the increased spending on IT security and the vigilance companies have devoted toward the threats."
Because of what LANDesk described as inadequate security measures, more than 65% of respondents said they continue to experience security breaches and are looking for additional methods to secure their networks beyond AV software. Sixty percent of respondents also said their organizations not only can't scan devices as they attempt to connect to the network, but also can't quarantine systems that don't meet corporate security requirements.
While more than 85% of respondents said their workforce is now mobile or field-based, 46% admitted the only way they can enforce security settings on laptops and mobile devices is when those devices are physically within the corporate environment. Meanwhile, 23% said they must rely on their users to apply security patches themselves, and 22% said they have computers or laptops operating outside the corporate network that can't be managed over a virtual private network (VPN).
Respondents said network security breaches are most often cased by:
- Unauthorized mobile devices and laptops being connected to the organization's network;
- Users making changes to or disabling security settings; and
- Outdated patches or AV signatures.
SearchSecurity.com asked several IT professionals if the survey results reflect their experiences. Reaction was mixed.
"Unfortunately, I think [the survey response] is pretty realistic," said Eric Case, support systems analyst for the University of Arizona's Department of Chemical and Environmental Engineering in Tucson. "One of the things I do is run WSUS [Windows Server Update Services] and approve security updates. When a laptop is connected to the network, it sees new updates and pulls them in."
He offered an example of where the survey really hit home: A colleague was recently deploying the patch for the Windows Meta File (WMF) flaw and came across a machine whose primary user was away on vacation. He looked up and saw the mouse pointer moving around the screen. "It turned out someone was using Metasploit to try to get at other boxes," Case said. Attacks can be slowed down or prevented, Case added, but the threat is still there and there's always the chance an attack will succeed, especially in a university environment where many devices aren't under the IT department's direct control.
The responses were more shocking to Tom Kroll, network systems and security administrator for Chicago-based law firm Hinshaw & Culbertson LLP.
"One thing that surprised me was the response to the question about security breaches," he said. "I don't understand what the respondents' definition of a security breach is, but for 42% to have problems with users disabling security settings, that's unacceptable. I'd be ticked off if that were happening here."
Kroll was left wondering if respondents had misunderstood the question, which asked, "Which of the following have caused security breaches in your company?" Forty-two percent of respondents in the U.S. blamed it on "users making changes to or disabling security settings."
"For the most part, my users are not interested in shutting down virus scanning," Kroll said. "I want to know more about what's behind the question. Are we talking about virus scanning? People should be written up for that."
But if it's a case where the user makes a mistake via Internet Explorer (IE), Kroll said, "That's more understandable. I could see a situation where someone changes a setting to get a Web page to work in IE. A box might pop up saying 'click this box' to fix the problem with the page and the user clicks it without realizing they've disabled security settings."
Auger said respondents may well have been referring to accidental setting changes.
"It may not be a malicious thing on the user's part," he said. "They may change configurations at home so some home program like gaming can work, but then they might forget to put the settings back.
Still, he said, "It did surprise us that so many organizations would let users change things like that in the first place."
This article originally appeared on SearchSecurity.com.