Barracuda Networks, Inc. revealed that Malaysian companies have been spending less on IT security. The cloud based security and storage solutions company said that on average, Malaysian companies allocated only about 12% of its annual budget for IT security.
“Out of these 12%, only 17% were spent on network security” said Anshuman Singh, Director of Product Management, Barracuda Network (India).
Anshuman shared that 35% of the cyber attack were targeted at web applications last year and 22% was cyber espionage (spying). He also said that distributed denial-of-service DDoS services are now available for as low as RM1 if someone wants to take down a website for 10 minutes.
Referring to Heartbleed, Shellshock, Cryptolocker and the ATM hacking incidents last year, Anshuman said that companies, especially banks should invest more on IT security and keep their software up to date.
According to Barracuda, there are six threat vectors that need to be secured for total threat protection. Below are threat vector, type of threat and examples:
| Threat Vectors | Types of Threats | Examples of Attack Surfaces |
| Spoofing, Phishing, Directory Harvest Attacks, Spam, E-mail Borne Viruses | Different locations and Internet breakoutsVirtual networks that are constantly changing
New, Internet-connected devices (“Internet of Things”)
Public cloud
SaaS |
|
| Web Applications | SQL Injections, OS command injections, Cross-site Scripting, Cross-site Request Forgery, Session Hijacking | |
| Remote Access | Brute force attacks, Stolen credentials | |
| Web Browsing | Social engineering, hacked Web sites, downloaded malware, drive-by downloads | |
| Mobile Internet | Phishing, black hat apps, public networks | |
| Network Perimeters, including public and private clouds | DDoS, brute force attacks, IP spoofing |
Most companies are aware of the need for IT security, however the implementation of Goods and Services Tax (GST) starting April 2015 is one the reason why companies are slashing down annual IT budgets according to Barracuda Networks Inc regional manager in Malaysia, Thiban Darmalingam. Due to uncertainties, companies are adopting a ‘wait-and-see’ mentality, he said. However, Thiban was not able to provide an estimated figure when asked about the GST impact on IT security spending.
Below are the 2015 security outlook and trend according to Barracuda Networks:
- Attack surfaces will change. As companies move from physical to virtual to public cloud to SaaS, their attack surfaces change accordingly. An infrastructure upgrade may add multiple attack surfaces, all of which have to be secured. For example, companies that migrate from an on-site Microsoft Exchange Server to Office 365 have added a new attack surface across multiple threat vectors, including email and web application threat vectors.
- We will continue to see threats across all vectors, with an increase in attacks related to mobile access and web applications. Mobile internet is particularly vulnerable to phishing and social engineering attacks. Mobile devices are constantly moving between secure corporate networks and unsecure home or public wifi.
- There will be a continued rise in web application attacks and DDoS incidents. The web application vector is the attack surface that is currently the least understood by most IT administrators and is generally the most exposed. Many companies attempt to secure this threat vector with the wrong technology, like a network firewall, which can protect Layer 4 protocols and even do deep packet inspection. However, truly protecting Web application layer attacks generally requires terminating the HTTP or HTTPS protocols and often rewriting traffic to identify and mitigate threats. Just as a network firewall is not designed to stop spam, it is also not designed to stop web application attacks. This type of misunderstanding leaves the threat vector exposed to attack, and gives the administrator a false sense of security.
- Any increases in IT security budgets will be insufficient for “business as usual.” Administrators will continue to be required to do more work with fewer resources, and attempts to either “go without” protections along key threat vectors or to manage a patchwork of disparate security systems will leave their organizations at risk.