Cost of IT security breaches on the up

9 Oct 2007

The cost to an organisation from a sensitive data breach will increase at a rate of 20pc year-on-year through until 2009, according to new research from Gartner.

The research firm says that financially-motivated attacks are becoming more prevalent and new vulnerabilities continue to be reported. It says that 90pc of these attacks can be avoided without requiring any increase in security spending.

However, an organisation that doesn’t want to be part of the 10pc must implement security processes to monitor and manage vulnerabilities and provide strong identity and access management capabilities.

“The biggest attack risk to enterprises comes from targeted attacks,” said John Pescatore, vice- president and distinguished analyst for Gartner. “In addition, phishing and identity theft attacks have caused the rise of ‘credentialed’ attacks, in which the attacker uses the credentials of a legitimate user.

“Malicious software (malware) attacks also allow internal executables to be used to forward information to an external attacker,” Pescatore continued. “Being aware of ‘inside out’ communications and being able to block those as effectively as ‘outside in’ is becoming increasingly important.

Security strategies, he said, must reduce the cost of dealing with mass attacks to free up investment and personnel resources to evolve capabilities for dealing with these more complex targeted attacks.”

Gartner analysts estimate that the cost of sensitive data break will increase 20pc per year until 2009.

While mass attacks such as worms and viruses have continued, the investments that enterprises have made in intrusion prevention, vulnerability management and network access control have paid off, as those simple mass attacks have succeeded less often.

However, the attackers are now more financially motivated and have launched new waves of attacks that, when successful, cause enormous damage to the bottom line, but that often go unreported.

Gartner says that the average enterprise is spending more than 5pc of the IT budget on security and close to 12pc, if disaster recovery spending is included. However, Gartner has seen little or no correlation between enterprises that spend the most on security and enterprises that are the most secure. While there are definite areas that require additional investment, there are just as many areas of security that can be done more efficiently.

“The most effective ways to become more secure while reducing security spending are to avoid vulnerabilities — to ensure that security is a top requirement for every new application, process or product, whether built in-house or acquired from a vendor” said Ray Wagner, managing vice president for Gartner.

“Just as important is understanding where security funds are being spent and where that spending is effective or ineffective. Security metrics should be established for all major security spending areas.”

The approach to security needs to move from a reactive approach to a mix of strategic planning and rapid tactical execution.

“The key is to identify major technology changes and start taking steps to reduce the cost of dealing with today’s mature threats — viruses, worms and denial-of-service attacks — to free up funding and manpower to influence the new systems and business processes that are being built today and that will bring on the next generation of threats,” said Pescatore.

By John Kennedy