Security Best Practices Pay Off

IT security concerns never go out of style.

The recent data breach at Zappos.com?in which 24 million customers had personal information stolen?is just the latest in a seemingly endless series of reminders that a comprehensive and multi-layered security strategy is essential to any business.

According to Symantec?s 2012 Endpoint Security Best Practices Survey, endpoint attacks?including malware, spam, denial-of-service attacks, vandalism and outright theft?cost the typical organization about $470,000 annually. The report cites a number of common problems that result from these threats, including: IT labor costs required to apply fixes after an attack; loss of organizational, customer, and employee data; and damage to an organization?s brand and reputation.

But attention to the problem pays off. Particularly interesting is Symantec?s assertion that ?top-tier? or best practice organizations are approximately 2.5 times less likely to have experienced a large number of endpoint attacks in the past year. They?re also 3.5 times less likely to have experienced downtime and they have about 4 times less downtime than other organizations. The report surveyed 1,425 IT professionals from 32 countries.

What constitutes a top-tier company? According to Symantec, nearly 100 percent of them promptly apply OS and application updates to endpoints and infrastructure, including physical and virtual servers, desktop machines and mobile devices.

Best practice companies also use firewall protection, intrusion detection and deploy tools to prevent the unauthorized copying of data to and from peripheral devices, including USB drives. Encryption, access control, data loss prevention and reputation-based security are the most commonly used technologies.

But the report also points out that best practice security is more than the sum of tools and technologies. An overwhelming 99 percent of these top performers provide some form of employee security training, with 82 percent doing so at least once a year.

By contrast, poor performers secure only about 20 percent of their physical endpoints and 10 percent of their virtual servers. Remarkably, roughly half from this group consider technologies such as encryption, access control, data loss prevention and reputation-based security as somewhat or extremely necessary, and only 66 percent train employees at least once a year.