Virtual computing is a growing trend throughout the industry, but one third of companies said they have not invested in security for that environment, a new study said.
This means businesses are opening themselves up to the possibility of a serious and costly data breach, said security firm Kaspersky Lab, which commissioned the study.
The study, conducted globally among businesses with 100 or more IT workstations, also found 42% of companies believe their virtual servers are more secure than physical ones, despite the fact one in three of those surveyed admitted their knowledge of virtualization was ‘basic.’
“There is a common perception that virtual machines are more secure than physical ones, but this is little more than a myth. In fact, virtual systems are just as vulnerable to malware in the form of malicious email attachments, drive-by-downloads, botnet Trojans and even targeted (spear phishing) attacks,” said Peter Beardmore, senior director of products and services at Kaspersky Lab.
Despite limited knowledge of virtualization, the study found 81% of services launched in virtual environments are business critical.
Around half of those running applications on virtual services said they did not have a full understanding of virtualization and securing that environment.
These facts combined point toward a worrying lack of knowledge among IT professionals, which may be putting the benefits of virtualization at risk, he said.
“There is no doubt that the business benefits of virtualization are huge – both in terms of cost and accessibility. But underestimating the security risks puts businesses of all sizes in a perilous position,” Beardmore said.
The lack of knowledge shown by IT professionals is mainly to blame, he said, so businesses need to invest in understanding the concept of virtualization.
Another common problem is the business is so focused on performance and cost, security is often overlooked or tagged on only at the end, said Andrew Lintell, a director a Kaspersky Lab.
There are IT professionals that think a virtual server is just the same as a physical one, Forrester security and risk analyst Andrew Rose. “But they are not. The risks are different.”
Beardmore said basic knowledge is simply not sufficient when the security of a business is at stake.
“The industry needs to wake up to this situation and invest in adequate security solutions alongside a comprehensive education program,” he said.
Virtualization can help improve security, Beardmore said, but only if companies invest in the security controls and management systems to keep track of VMs and enforce security policies.