Not even the largest, most technologically sophisticated companies in North America are prepared to deal with the security threats they face every day, let alone those they'll be hit with in the future, according to a new survey. The survey of 315 North American IT security professionals at companies larger than 1,000 employees was paid for by Malwarebytes, but conducted by IT analysis firm Enterprise Strategy Group. Forty-nine percent of respondents said their companies had been hit with at least one successful attack during the last 24 months; 74 percent have increased their IT security budgets during the past two years, but 62 percent still said their security software isn't up to the challenge of fending off zero-day vulnerabilities or polymorphic malware. Despite increases in IT security budgets, heightened security awareness among IT staffs, and efforts to educate end users in avoiding simple attack methods, 57 percent of respondents said it still takes hours to detect an attack that compromises a specific IT asset. For 19 percent of the companies in the survey, discovering a successful breach takes days instead of hours. The most likely source of IT security risk continues to be end users who either don't understand the danger of clicking on infected URLs within emails, opening attachments from strangers, or visiting infected Websites, survey respondents added. Among the companies that had been successfully attacked using malware, 29 percent said employee use of social networks was to blame for the infection. "When it comes to managing malware risk, enterprises would be best served by implementing a layered approach using proactive and reactive lines of defense through their networks," according to a statement from ESG analyst Jon Oltsik in a release about the survey. Most large organizations have given up on IT security based only on stopping malware or other potential threats at the perimeter of the network in favor of adding encryption, access control, intrusion detection and other layers of security within the infrastructure and surrounding specific applications or sources of sensitive data—a shift that played a major role in Cisco's recent decision to buy intrusion-detection provider SourceFire. Surveys of IT security people consistently point to end users as the primary point of entry for malware or other external threats—and not without reason. End users at 91 percent of U.S. companies use P2P file-sharing networks or other common sources of direct malware infection, according to analysis of real-world network- and applications-monitoring data by CheckPoint Technologies at more than 900 organizations. End users alone may not be the problem, however. IT or business-unit managers often talk a good game about security but know little about it and do less, according to a study published earlier in July by U.K.-based consultancy IT Governance. Though 53 percent of managers in the IT Governance study said employees continue to be the biggest threat, only 16 percent admitted to being briefed on security issues any more often than once per week; 52 percent said they were briefed only once per year. Twenty-five percent of managers did admit their companies had been hit with at least one "concerted attack" during the previous year, but 20 percent didn't know enough to say whether the company had been attacked at all.   Image: Maksim Kabakou/