Most organizations view data leakage threat as internal

eBook: The DevOps Roadmap for Security - Tips and tools for bridging the security tribe into DevOps. Download →

A new IT security survey conducted by IDC revealed that most organizations are placing investment in Data Loss Prevention (DLP) technology at the top of their priority list. While 57% of the companies polled said they plan to invest in DLP technology, three times the number of respondents said they believe data leakage is more likely to occur through accidental employee error (45%) than by external hackers with malicious intent (15%.)

A majority of respondents (85%) said they thought data loss through external hacking was “very unlikely”, and 55% perceived intentional external data loss as having only “moderate impact” or “no impact at all” on their business. Additionally, more than 60% said they believe they are unlikely to be affected by virus attacks.

The research surveyed IT security decision makers at more than 400 organizations, with at least 500 employees each, across 18 countries in the Americas, Western Europe, the Middle East and Africa, and Asia Pacific. Other key survey results include:

Compliance variations. The research revealed that large organizations with more than 1,000 employees tended to be more compliant than smaller companies. In addition, companies in the Americas and in the public sector were more concerned about IT security regulations than those in other regions and industries.

IT security spending. The survey found that from 2008 to 2009, 19% of the companies surveyed increased their overall IT spending while 41% decreased it, mainly due to the economic downturn. However, for nearly 60% of the organizations, the average spend on IT security within the overall IT budget remained at 10% or more.

Shift to holistic approach. The surveyed companies appear to be shifting their investment focus away from point solutions to a more holistic approach, with 59% planning to invest in IT security audits and 52% in consulting services. This indicates a growing realization that reacting to security incidents, and ad-hoc acquisition of point technologies without regard to how they dovetail with others, is more costly and less effective than planning an integrated strategy.