Corporate insecurity 

If you glanced only at the top-line results of the seventh annual InfoWorld Security Survey this week, you might conclude things haven’t changed much since last year — and you’d be dangerously wrong.

Sure, the gross numbers disclose about the same level of overall confidence, as writer Paul F. Roberts points out in “The Shaky State of Security.” For example, approximately 46 percent of IT professionals are “extremely” or “very” confident of their company’s security, roughly equal to the 48 percent of a year ago.

But look deeper and you’ll find several intriguing developments.

On the positive side, IT professionals seem less afraid of threats they agonized over in 2003. For instance, whereas worry about possible cyberterrorism threats reduced marginally from 10 percent in 2003 to 8 percent today, last year’s leading perceived security challenge — maintaining the “always-on” environment — was cited as a concern by only 9 percent of this year’s respondents. That suggests IT pros are learning to cope with the inherent dangers of this essential advance.

Equally encouraging, the proportion of  those who are nervous about wireless security declined from 16 percent to only 9 percent (although Ephraim Schwartz focuses on a Bluetooth hazard in Realty Check). And only 18 percent cited budget limitations as their main concern in the coming year, down from 32 percent.

One reason for the confidence is that modern perimeter firewalls do a pretty good job of handling understood dangers such as DoS attacks. Alyson Behr examines this in a head-to-head comparison of three firewall appliances (see “Midrange Firewalls Face Off”). But the survey suggests other critical security holes remain unplugged.

For example, we asked specifically about application vulnerability — and respondents promptly identified it as their second-biggest current worry. Although 72 percent of respondents have firewalls, only 37 percent have network-based intrusion detection, only 26 percent have host-based intrusion detection, and a mere 15 percent have specific application-layer security. That’s daunting given that even humble browser flaws can undermine enterprise apps, as Chad Dickerson notes in CTO Connection.

On an even darker note, the survey found that only 7 percent consider corporate espionage a top threat, although the proliferation of consumer spyware suggests corporate versions can’t be far behind. And a startling 23 percent reported being attacked by “phishers” (corporate identify thieves). Phishing defenses are improving, but I bet this turns out to be a tough nut to crack given that the bad guys attack your customers directly instead of you.