January 13, 2011, 5:42 PM — IT organizations and the infrastructure they build and babysit are expanding beyond their traditional boundaries and encountering new threats and not doing much about them, according to a survey of 300 IT security people.
The survey was carried out and the report was written by Forrester, but it was paid for by Symantec, which explains the marketing-speak title "Enhancing Authentication to Secure the Open Enterprise."
Not that better authentication would make an enterprise less secure. It's just that good passwords aren't the only important parts of a real security plan.
The study's three big conclusions are that, since large companies are expanding into virtual, cloud and mobile environments, they are::
- Encountering new security risks;
- Finding that password issues are the No. 1 access issue in the enterprise; and
- Most companies thing really good authentication costs too much to be worth the money.
None of those things is new and none are the kind of thing that would be a surprise in a Symantec marketing piece rather than an analyst report.
More interesting is some of the detail farther down.
- 54 percent of respondents had a data breach in the past year and expect to see more attempts in the coming one.
- Password resets make up 30 percent to 50 percent of IT calls -- far more than IT can afford. Part of the volume is because users can't remember their own passwords. To give them a break, 87 percent of users need two to three passwords for corporate access, each of which is changed periodically in companies with good security and password policies.
- Malware attacks are being designed more frequently to take advantage of weaknesses in password policies.
- Two-thirds of companies don't use two-factor authentication for outside companies needing to access the network, even though it significantly increases the difficulty for hackers.
The upshot is that password-management and endpoint security still generally sucks at large companies. Here's why:
Security policies put all the responsibility for passwords and authentication on the end users;
They don't require high enough security to make up for users they already know are sloppy with the passwords,
The companies themselves are too cheap to put in global authentication systems that make things easier on everybody.