Why are business technology professionals so ambivalent about IT security? They acknowledge that the threats to computer systems keep growing in number and sophistication, yet they think they've got the problem under control. For the naively confident, there could be costly consequences for their companies and customers.

InformationWeek Research's ninth annual Global Security Survey, conducted in partnership with Accenture in May and June, shows across-the-board threats to business computing environments. Fifty-seven percent of U.S. companies surveyed report being hit by viruses in the past year, 34% by worms, and 18% by denial-of-service attacks. Network attacks and ID theft were experienced by 9% and 8%, respectively. It's no wonder that 48% of the 2,193 security professionals and business technology managers who completed the survey say managing the complexity of security is their top challenge.

GM's Litt: Safer software is the answer Photo by Chris Lake

Yet when asked whether their companies are more vulnerable to malicious code attacks and security breaches than a year ago, only 11% of respondents at U.S. companies thought so. The vast majority, 89%, think their companies are no more vulnerable than before or about the same. That's an even higher level of confidence than we found in last year's survey, when 84% of respondents said their companies weren't at increased risk.

We thought they were overly optimistic then, and we'll repeat our warnings here: The ready-for-anything attitude prevalent among IT pros is dangerous. Despite the many defenses that have been put in place--antivirus software, firewalls, intrusion detection and prevention systems--business computing isn't invincible. Given all the data breaches and exposures we keep learning about, a degree more wariness is in order.

Notably, IT professionals in other countries are somewhat more cautious in their assessments: 13% of respondents in Europe, 16% in China, and 24% in India say their organizations are more vulnerable to the many dangers confronting them than they were a year ago.

Why do things keep getting more complicated? Each new product that comes in the door--from mobile devices to portable storage to Web-based collaborative applications to voice over IP--adds a new security twist. The threats are more sophisticated, and the attacks more numerous. Security professionals and business technologists cite a long list of challenges, including raising user awareness (41%), enforcing security policies (36%), controlling system access (26%), and getting more resources (23%).