Compliance, New Threats Drive Security Spending
- By Stephen Swoyer
- July 21, 2008
Pity U.S. IT organizations. Not only must they grapple with rising regulatory
and compliance costs, but many are coming to grips with another rising cost:
security. Enterprise security is an expensive proposition, one that's likely
to get even more expensive as organizations take further steps to protect themselves.
The good news, according to a new survey from security software vendor CA Inc.,
is that all of that money seems to have been well-spent.
CA's latest Security and Identity Access Management (IAM) Survey found an overall
decrease in the number of organizations that reported virus, network and denial
of service (DoS) attacks last year.
What's more, CA indicated, almost 15 percent of shops said they hadn't experienced
(known) attacks of any kind. That's up from 11 percent in 2006.
That figure includes virus outbreaks. Last year, almost 60 percent of enterprises
grappled with virus attacks, down from almost 70 percent in 2006. Meanwhile,
just 40 percent of U.S. enterprises battled network attacks last year; that's
down from half of all shops in 2006.
DoS attacks appear to be on the wane; just over a quarter (26 percent) of organizations
were victims of DoS activity in 2007, CA said. That's a steep decline from 2006's
tally of 40 percent.
Even as IT organizations have clamped down on traditional attack vectors, they're
increasingly coming to grips with another line of attack: breaches from within.
According to CA, the percentage of survey respondents who experienced internal
security breaches increased slightly from its 2006 survey, climbing to 44 percent
in 2007 (an uptick of 2 percentage points). That's a sharp spike from half-a-decade
ago, when less than one-sixth of IT organizations experienced an internal breach.
"The increase of internal threat also appears to be making it more difficult
for organizations to successfully manage and contain the costs associated with
security attacks/breaches," the CA survey said.
The numbers paint a grim picture. In 2007, more than a third of organizations
reported losing confidential customer or transactional data as a result of security
breaches; that compares with just 22 percent two years ago.
What's more, internal breaches have disastrous real-world consequences, in
terms of both costs and irate customers. According to the CA survey, one-third
of organizations say they suffered reduced customer satisfaction as a result
of breach or attack, while almost two-thirds (61 percent) experienced diminished
productivity. This, of course, plays to one of CA's product categories: IAM.
"U.S. businesses and governments recognize it doesn't take much to shake
consumer confidence, and they recognize the need to do all they can to assure
consumers and constituents," said Lina Liberti, vice president, CA Security
Management, in a statement. "As the growth of security threats change from
external attacks [such as] distributed denial of service to the insider threat,
businesses are turning to identity and access management solutions to combat
that internal threat. This survey indicated that the number of organizations
planning to roll out identity and access management solutions in the next 12
to 18 months increased 11 [percentage points], moving from 49 percent in 2006
to 60 percent in 2008."
Increasingly, a majority of organizations are devoting the bulk of their IT
spending to security compliance. In 2007, for example, four-fifths of survey
respondents reporting spending 10 percent or more of their IT budgets on security
compliance, while more than half (56 percent) said that their firms spend 20
percent or more of their IT dollars on security compliance.
Over time, security budgets will gobble up an ever-larger share of overall
IT spending, according to CA officials.
"The survey points to an increase in the severity of consequences of internal
breaches. The implications are now tied squarely to dollars and reputation,"
Liberti said. "The potential aftershocks of an internal breach [have] the
attention of both the business and IT, and for enterprise organizations the
priority has now shifted from reactive to proactive security strategies to deal
with this threat."
Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.