Companies still clueless on security?

New research has found corporate laptop security lacking, while smaller firms emerged as vulnerable to cyber attack, yet unaware of their potential as targets.

A survey of 320 UK public and private sector IT managers and senior IT staff found 43 per cent did not have data or device encryption deployed to secure their business laptops and a further five per cent admitted they didn't know if encryption was in use.

The survey, conducted by eMedia, revealed only half of organisations used data encryption to protect removable media, such as USB memory sticks, removable drives and DVDs. Nearly half (44 per cent) said they had no solutions deployed to protect these devices and six per cent of respondents said they did not know if encryption was in use.

Terry Greer-King, UK managing director of Check Point Software, which sponsored the survey said: "These threats need to be addressed by a combination of education and technology so that organisations can protect their data, their business and their employees against the risks of security breaches."

A similar UK survey also carried out by internet security software firm in October 2010 found just 40 per cent of organisations had encryption deployed on their laptop, suggesting a significant proportion of businesses are still vulnerable to breaches from loss or theft of portable PCs.

These threats need to be addressed by a combination of education and technology so that organisations can protect their data.

Greer-King said new threats such as consumerisation have also emerged, and many organisations hadn't established measures to secure the use of personal laptops and smartphones in the workplace.

Nearly two thirds (61 per cent) of organisations surveyed said employees use personal devices for work (up from 55 per cent in Check Point's October 2010 survey), yet 42 per cent of the respondents said they had no formal process for deploying security to these devices, leaving corporate network at risk.

Only 17 per cent of organisations said they insisted on deploying security on personal devices used for work purposes, and 42 per cent restricted access to the organisation's network or data resources to authorised corporate devices only.

A further 73 per cent said they had not experienced an incident of data loss incident in the past 12 months, whether accidental or malicious.

Yet, despite email breaches being the second most common vector for breaches, only 32 per cent of respondents said they had any kind of data leak prevention solution to protect email traffic and sensitive files from reaching unauthorised individuals.

Another survey published today, the Symantec 2011 SMB Threat Awareness Poll [PDF], also found half of small to midsized businesses believed they were too small to be the target of cyber attacks.

Yet data from Symantec.cloud found that 40 per cent of all targeted attacks since the beginning of 2010 had been directed at companies with fewer than 500 employees, compared to only 28 per cent for large enterprises.

Over two thirds (63 per cent) did not secure systems used for online banking, while a further nine per cent admitted they took no additional online banking precautions. Nearly the same proportion (61 per cent) used neither antivirus on all desktops or mail servers or services (47 per cent).