Security technology or staffing gap: Which is the greater enterprise challenge?

It’s no secret that attacks are rising in numbers and complexity. So it should also come as no surprise that enterprises are having a challenging time keeping certain types of attacks at bay.

These include DNS (Domain Name System) attacks, network layer Denial-of-Service (DoS) attacks, and attacks on encrypted data.

The attacks are costly: The typical annual tally, for those surveyed, is about $682,000. More than half of enterprises surveyed cited loss of productivity, 43 percent said they lost data, and 31 percent said they lost revenue as a result of these attacks. Additionally, organizations said attacks come with an additional price of lost customer trust, regulatory fines and theft of money or other goods.

These grim statistics are the findings of a recent Applied Research survey commissioned by F5 Networks. The survey is based upon responses from 1,000 large organizations in 10 countries.

The survey also found that traditional security technologies are not keeping up with the threat.

For instance, 42 percent of respondents said they experienced a firewall failure due to network-layer DoS traffic load in the year, and 36 percent reported such a failing during application-level DoS attacks. Survey respondents didn’t convey much faith that their security systems could parse traffic context well enough to protect against complex attacks any more sufficiently than “somewhat well.”

In an attempt to quantify the impact of these attacks, Applied Research combined survey results, including the top three most frequent, difficult, and high-impact attacks reported, to develop its version of the “Cyber Attack Index.” According to their finding, DNS attacks ranked 100 percent, while network DoS came in at 98 percent, access of encrypted data 83 percent, misconfigurations 64 percent, and application layer DoS 48 percent on the index.

Also noteworthy is that a large portion of security professionals are not familiar with commonly-known attack techniques among hackers and pen testers. More than 30 percent of respondents weren’t familiar with directory traversal, cross-site request forgery, application layer DoS, cross-site scripting attacks.

That lack of industry knowledge was touched on in another Applied Research survey released weeks ago. The 2011 Threat Management Survey, sponsored by Symantec, found that in addition to gaps in security technologies, lack of sufficient staffing — and confidence in that staff — poses the greatest challenges. In fact, a surprising 57 percent of the 1,025 surveyed said that they lack confidence in their IT security staffs’ ability to respond to new and emerging threats.

About half of those who lacked confidence said that insufficient security staff was a top factor. In total, 43 percent of organizations reported being “somewhat” or “extremely understaffed.”

In North America, the lack of staffing was more prevalent with 53 percent citing a staffing deficit.

George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter @georgevhulme.