It's raining IT security surveys
Security vendors have gone survey crazy.
By Cara Garretson and Ellen Messmer, Network World | Network World US | Published: 09:00, 20 March 2006
If it feels like you're getting bombarded with surveys about network security threats, that's because you are. Leading security vendors, looking to scare up interest in their products, pumped out more than twice as many of these surveys last year as in 2004, and this year are on an even more aggressive pace.
Such surveys have shown that 25 percent of corporate e-mail users send personal messages, that there were 2.9 million phishing attacks in February and that 65 percent of ISPs consider distributed denial-of-service (DoS) attacks a main concern. The factoids go on and on and on.
According to our informal review of 20 leading security vendors, they made public 34 such surveys last year, most of which were conducted by third parties on behalf of the vendors. In addition, the vast majority of them issued reports - some as frequently as monthly - derived from information that their products collect regarding distributed DoS attempts, spam blasts, phishing attacks and the like.
While vendors say these surveys and reports are meant to alert IT professionals to growing security threats and to help vendors determine what sorts of products customers need, in fact they're creating a thick layer of fear, uncertainty and doubt, or FUD, that helps sell products in a market that IDC says totalled US$32.6 billion last year and is headed toward $38.4 billion this year.
For example, a survey of 603 consumers conducted last October by Momentum Research Group on behalf of RSA Security showed the French are more fearful than Germans about the possibility of fraudulent access to personal information at banking sites. But when it comes to fear of identity theft, no one beats Americans; nine out of 10 have heard of it, as compared with only one in three in France and Germany.
RSA, which provides products and services for authentication and anti-phishing, says in its press release about the survey: "The key to online confidence lies at the door of the business community - meaning that it is imperative for online vendors to be seen taking appropriate measures to protect their customers' interests."
"There's always a self-serving aspect to anything a vendor releases," says Keith Crosley, director of market development with messaging security vendor Proofpoint, which does a few surveys per year. "But we really are trying to educate markets and share interesting data that helps people make really intelligent decisions about their technology investments."
It's not surprising that vendors use survey results to help sell their products, often paying tens of thousands of dollars per survey with the hopes the results will support the need for their offerings. (Those that contracted professional firms said they did so because the size and quality of each sample would be superior to what the vendor itself could come up with, and therefore produce more accurate results that would be less likely perceived as biased.) But security vendors seem to be particularly fond of publicizing surveys these days, perhaps because there are very few ways to gauge just how secure a PC or network is - the FUD created by survey results sends the message that you're never secure enough.
IBM, which offers a number of hosted security services, this week released results of a survey it sponsored, conducted by Braun Research, that shows 84 percent of the 600 IT managers surveyed said they believe organized criminal groups with technical sophistication are replacing lone hackers as the main threat from the outside.
But the press release describing the survey questions respondents' ability to protect themselves. According to IBM, 83 percent of respondents "boast that they have adequate safeguards in place to combat organized cybercrime." The message? You're not as secure as you think you are.
One security company recently attempted to quantify just how worried IT managers should be.
Antimalware vendor WebSense's sixth annual Web@Work survey, conducted by Harris Interactive and released last May, revealed that "one-quarter of IT decision-makers feel that the test of protecting their company against malicious Internet security threats is more stressful than a minor car accident."
It's difficult to ignore the steady stream of magazine and newspaper headlines announcing these survey findings, Network World not excluded. Some publications, including ours, conduct their own surveys as well to gauge readers' opinions and actions regarding security.
This flood of security headlines has led some to discount many surveys as marketing material. Bill Boni, vice president and chief information security officer at Motorola, says he will pay some attention to surveys if they appear to show validated data from responsible sources.
No one expects a vendor to issue a press release touting a survey that negates the need for its product, but this selective practice underscores the requirement to consider the source.
"Surveys are one of the only benchmarks you can use to make decisions . . . you'd be foolish if you didn't at least read them," says Jim Hite, supervisor of network services and central operations with Virginia's Prince William County schools. "But you have to consider that the manufacturer wants you to buy their product, so you have to weigh that."
If a vendor sponsors a survey that contradicts its own product plans, it's unlikely we'll ever know about it. Vericept, a small company with products focused on preventing internal threats, last December commissioned its first-ever survey, conducted by Enterprise Management Associates. The survey asked how concerned corporations are about internal threats; 74 percent said the risk of sensitive corporate information leakage because of internal personnel is moderate to very high.
And so, the company publicised its findings. "If we found people said 'internal risk is never a problem,' or that 'it will go away in six months,' then we may not have published it," says Brett Schklar, vice president of marketing with Vericept.
Some IT managers use these surveys to help open the company purse strings to fund new security projects.
"Reluctantly, I support the points many of these surveys are making, even though some of them make you cringe," because they're so blatantly oriented toward selling products, says Michael Dean, director of IT security for the 200 K-12 schools in the Palm Beach County School District in Florida, which support a high-speed network of 50,000 computers for 175,000 students and teaching staff.
Surveys are designed to help the sponsoring vendors make decisions, too.
In 2004, Proofpoint considered bringing to market an outbound e-mail compliance product. But first the company sponsored a survey conducted by Forrester Research that showed 43 percent of companies sampled used employees to scan outbound e-mail for confidentiality breaches or intellectual property leaks. Imagine the time and cost savings of automating this process? A few months later, Proofpoint released an outbound compliance product.
"The volume of response to the survey showed us there was a great deal of interest," Crosley says. "If there was no interest in outbound e-mail compliance, we would have definitely changed our plans with respect to how quickly we created the product."
Sometimes surveys show that security threats perpetuate despite the widespread use of preventive products. For example, ISCA Labs conducts an annual survey of 300 companies and government agencies to find out how much antivirus software they use on desktops and servers, and how many "virus disasters" they experienced over the course of the year. Every year, as in last year's 10th Annual Virus Prevalence Survey, the costs of cleaning up after a virus disaster seem to rise - last year showed a 23 percent increase over the year before to $130,000 per disaster - while companies keep buying more antivirus software.
Some companies have gone to extremes to show how badly users need their products. Last October RSA Security sent a half-dozen employees out to Central Park in New York wearing "I Love N.Y." T-shirts to see if passers-by would fall for an in-person phishing scam to get their personal information.
In the guise of conducting a tourism survey, the RSA employees spent a few days handing out paper questionnaires. More than 103 people filled out the questionnaires listing their name, address, number of children, place of birth, mother's maiden name, date of birth and other information, says RSA's public relations manager, Matt Buckley. "We left out the Social Security number."
The purpose of the survey exercise was to show how easily people fall for phishing scams. "It shows that even though there are a lot of stories about phishing, you can't rely on education. You need a technology process," as a safeguard, Buckley says.
Ironically, cybercriminals are finding surveys help them, too. A recent phishing scam masquerades as a $20 credit offer from Chase Manhattan Bank if the recipient fills out an online survey about customer satisfaction, followed by requests for personal information such as Social Security number and mother's maiden name.