Category: Trends

IT security spending is set to almost double from 2.5 per cent of overall technology spending to four per cent within the next four years, while spam is will increase from 17 billion emails today to 23 billion by 2007.

‘Almost half of emails will be spam related in the future,’ said Thomas Raschke, IDC’s program manager for European security products and strategies, speaking at the analyst’s 2004 Security Conference in London. ‘On average employees will use 10 minutes of their day identifying spam and getting rid of it. When you add this up businesses face massive losses connected to it,’ he said.

Rather than developing a reliance on new security products, IT directors need to realise the importance of enforcing security policies and run a risk analysis every month, especially when implementing higher risk technologies, such as mobile policies and peer-to-peer projects, says Raschke. ‘Security policies need to be checked and re-evaluated constantly. Firms should build in rules governing what people can access using the corporate network – it’s often an overlooked part of the business,’ he says.

But by undertaking proper risk analysis organisations may discover parts of the business that require less IT security spending than others. ‘Not everything needs to be one hundred per cent secure, for instance lots of information is shared with partners and customers on the internet,’ said Raschke.

A growth in malicious attacks, viruses and spyware will also lead to a 15.4 per cent increase in security software spending over the next four years, with firms investing more on intrusion detection, secure content management, firewall and VPN software.

‘It is easy to create maximum damage to systems with little effort these days, it’s as simple as going to an internet site and loading virus writing tools,’ said Raschke.

IDC also predicts spending on security hardware appliances will also grow by 23 per cent between 2003 and 2008, as IT departments look for methods to monitor all areas of IT security.

http://www.vnunet.com/news/1158623

According to research from analyst firm IDC, nine million IT workers and their companies in the Europe, Middle East and Africa (EMEA) region are already generating more than $200bn in tax receipts. And that number is expected to grow.

“We are in the midst of an IT rebound in EMEA,” said Thomas Vavra, software and consulting manager for IDC. “Western Europe was hit hard, but emerging markets have mitigated losses and are expanding. “That’s a benefit for government because it will have less unemployment expenses and there will be a number of new people in IT.”

IDC surveyed 19 countries in the EMEA region. It predicted that IT spending is set to improve — the company said that by 2008 spending would reach a value of $360bn.

“We expect that over four years we will see a representation of new jobs connected with software,” said Vavra. “In many of the emerging markets, countries are moving away from infrastructure IT to software.” Vavra added that more than a third of 2004 tax revenues came about because of ‘the vast Microsoft ecosystem’. He said that for every dollar of Microsoft revenue in the region, another seven and a half were generated by companies, which sell technology to run on the company’s operating systems.

Countries examined in the study included: the Czech Republic; Hungary; Israel; South Africa; Austria; Denmark; France; Germany and the UK among others.

http://news.zdnet.co.uk/business/0,39020645,39168980,00.htm

A survey of 168 organizations in the United Kingdom found that more than half expected IT spending to increase over the next year by an average of 1.9 percent. The annual Benchmark of IT Spending was conducted by Britain’s National Computing Centre. That figure of 1.9 percent varies widely over different sectors.

In central government, manufacturing and finance, overall IT spending is predicted to actually fall over the next year. Ian Jones, head of content and publishing at the NCC, described the outlook of IT buyers as “cautiously optimistic.”

The bulk of IT budgets is still taken up by running and maintaining the existing infrastructure, with operational costs making up 68 percent of total spending. Fresh investment in IT only accounts for 28 percent, with the rest accounted for by end users and other sources within the organization. Again, the figures differ in each sector, with IT investment greater in central government and finance, and lower in construction and manufacturing.

IT staff remain the single largest budget item, accounting for almost a third of overall budgets. The average level of IT staffing is 26.5 techies per 1,000 end users in a company, which is slightly down from 31 last year. The finance sector has the highest ratio, at over twice this year’s average.

Desktop replacement is the most important IT department activity, and 42 percent of Windows systems are expected to be upgraded over the next two years, mainly to Windows XP. The proportion of sites running Linux desktops remains low, though strong growth is predicted. Jones said the Linux vendors had come in for “a real kicking” after all the rhetoric and hype about open source on the desktop. “It has really made no impact whatsoever on the desktop,” he said. “The Linux vendors need to raise their game.”

The big area highlighted by user organizations is thin-client desktops. These are currently only used in 16 percent of firms, but that is expected to rise to 24 percent over the next two years. Laptops and PDAs are also expected to grow proportionately much faster than desktops, at just more than 50 percent over two years, though the actual numbers remain a lot smaller.

The Windows 2003 server upgrade is also a major project on the table for many companies, while the decline of the mainframe continues apace.

http://news.zdnet.com/Upgrades%2C+HR+costs+squeeze+British+tech+budgets/2100-3513_22-5386982.html?part=rss&tag=feed&subj=zdnn

‘Extending enterprise networks overseas, as a result of increased outsourcing, can create new problems,’ managing vice president Victor Wheatman told delegates at the Gartner IT Security Summit in London this week.

Emerging technology such as web services and wireless personal devices will also expose new holes in IT security plans, he says. ‘Each new technology and way of doing business brings with it a whole range of new IT security concerns,’ he said. ‘And each new wave of technology obliterates the security architecture appropriate to its predecessor, opening the enterprise up to an ever increasing raft of security risks.’

Cybercriminals will be an increasing risk, developing ever-more sophisticated methods of making money using spyware, phishing and spam, says Wheatman.

Gartner says businesses should also put more pressure on vendors to remove security flaws before products are launched. The analyst predicts that a 50 per cent reduction in software vulnerabilities before shipping could remove 75 per cent of configuration management and incident response costs incurred by businesses.

The key to secure business is management improvement, with the most secure firms spending less than average, he says. The lowest-spending 20 per cent of firms are also the most efficient and will safely reduce security spending to only three to four per cent of their total IT budget, says Wheatman.

But to achieve this, investment must shift from product-based purchasing to implementing better-designed risk management processes. ‘We will constantly see new risks because technology and business processes don’t stand still,’ said Wheatman. ‘It’s about keeping the bad guys out, while letting the good guys in and keeping the wheels on.’

http://www.vnunet.com/news/1158271

But the battle to protect critical data is far from won. The largest security research project ever done—the “2004 Global Information Security Survey,” with 8,100 respondents from 62 countries on six continents.

In the 2003 survey, they noted that the infosecurity discipline had grown but had not really improved. This year, they found that the security function didn’t really grow but did, in fact, improve—at least incrementally.

Despite flat levels of spending, few new human resources being devoted to infosecurity, and the fact that the number of breaches was slightly up from last year, those breaches caused less downtime and cost less when they did occur. They believe this means that incidents are being better managed.

More companies (although still far from a majority) have created an executive-level security presence, and more have included risk management, audit and other non-IT elements in their security governance.

Last year’s barriers to good security—budgets and time—were still cited this year as the most common obstacles, although fewer companies said those issues prevented them from getting the job done. That’s progress, and that’s the good news.

Information security professionals in large part did not execute this year what they said last year were their top strategic priorities.

Negative factors (such as fear of litigation) remain the primary drivers of security spending. Positive factors (such as contributing to business objectives) were less common.

The attitude among security professionals toward critical infrastructure, regulation and working with the authorities after incidents can best be described as laissez-faire, maybe even lackadaisical.

As fond as the IT industry is of declaring revolutions, the information security part of IT resists such drama.

This year’s data reinforces the view that security remains a discipline, adapting itself over time to a harsh environment of threats and vulnerabilities.

They defined a small group—about one-fifth of respondents—that described itself as “very confident” in the effectiveness of its information security practices. This group has earned the right to be confident. Collectively, while those respondents reported more security incidents, they experienced less downtime and fewer financial losses than the average respondent. This is just one of the reasons they are the Best Practices Group.

In last year’s data, we uncovered what we called “The Confidence Correlation”—in which enterprises that expressed confidence in their security were, in fact, more secure. This year, the trend was even more pronounced.

The Best Practices Group may have suffered more incidents than the average respondent, but those incidents didn’t precipitate more damage or downtime. Indeed, the Best Practices Group suffered less of each despite being targeted more often. That higher number of reported incidents can be attributed to two facts.

First, these tended to be larger companies, and larger companies are targeted more by the bad guys.

Second, the Best Practices Group generally had a more comprehensive security infrastructure, which gave it more visibility into what was happening on its networks.

They know the Best Practices Group had better security, because the survey asked respondents what security and privacy safeguards their companies had in place.

And for every single one of the 84 safeguards listed, the Best Practices Group was more likely—sometimes by a wide margin—than the average respondent to have put it in place.

The organizations with high confidence in their security created a virtuous cycle.

They do a better job securing their infrastructure, which breeds confidence in the enterprise (especially in the executive ranks), and that confidence translates into support that manifests itself in resources. Greater resources means the Best Practices Group can improve security, which breeds more confidence.

It’s good to be confident. It’s better to have good reason to be confident. Here’s a to-do list that we believe will help you work your way into the Best Practices Group. These disciplines can either exist under a single CSO or as separate entities governed by an executive security committee.

1. Invest: U.S. respondents said infosecurity accounts for less than 9 percent of their IT budgets. The Best Practices Group claimed 14 percent.
2. Separate information security from IT and then merge it with physical security.
3. Conduct a penetration test to patch up network and application security. (The Best Practices Group was 60 percent more likely to do this than the average respondent.) Perform a complete security audit to identify threats to employees and intellectual property. (The Best Practices Group did this far more often than the average respondent.) Create a comprehensive risk assessment process to classify and prioritize threats and vulnerabilities. (The Best Practices Group was 50 percent more likely to do this.) Define your overall security architecture and plan from the previous three steps. (Two-thirds of the Best Practices Group did this as opposed to only half of the respondents overall.)
4. Establish a quarterly review process, with metrics (for example, employee compliance rates) to measure your security’s effectiveness. This will help you to use your increased resources more efficiently.

Yet, damages to the enterprise were down.

And the time between the announcement of a vulnerability and the attack that exploited it was shrinking from several months to, in the case of Sasser, 18 days.

That’s why it’s so surprising and heartening to report that while the bad stuff keeps coming, one-third of respondents who were hit by security breaches reported zero downtime, and one-third also reported zero financial damages. Overall, both downtime and damages were lower this year than last.

This year’s data indicates that information security executives are learning to treat their colds and remembering that an ounce of prevention is worth a pound of cure.

Fifty-four percent of our respondents designed or improved their existing disaster recovery and business continuity plans in 2004.

Out of 30 security priorities (the top 17 are listed in “Missing the Mark,” right) named in operations and technology in 2003, execution fell short of ambition in 28 instances.

More disturbing is the fact that the only two priorities from the 2003 survey that were implemented to a greater degree than planned involved firewalls. The most commonly cited barrier was, as always, money. Ikbal sees a series of factors contributing to the priority gap: “These tasks are unpleasant, and people will put them off if they can.

Last year, only 15 percent of respondents said they’d created a CSO or CISO position; that leaped to 31 percent this year.

For those who theorize that regulation and government involvement will improve information security, these numbers should prove unnerving. Regulation has yet to drive companies toward better security or have much impact on their practices. Only half of all U.S. respondents claimed to be in compliance with HIPAA, and 41 percent reported that they comply with Sarbanes-Oxley. Of course, not every respondent needs to comply with HIPAA. But if we look at those industries that do—health care, pharmaceutical, and biotech at 71 percent, 45 percent and 40 percent compliance, respectively—the story doesn’t change that much.

Security professionals are dubious of both current and potential future regulation. “No regulation is preferable to bad regulation,” says the CISO of a major electronics company. On the other hand, if we don’t regulate, we’re heading to a bad event with critical infrastructure, and then you’ll end up with regulation passed in reaction to the bad event. Tt would be the worst of both worlds.”

That bad event is what DHS’s color-coding seeks to avoid. The government’s threat-level reporting is widely believed to be for the public but, in fact, it was meant to alert first responders in the private sector to guide them in their protection of the critical infrastructure. When DHS Secretary Tom Ridge introduced the system in 2002, he said, “We anticipate and hope that businesses and hospitals and schools…will develop their own protective measures for each threat condition.”

Only one in 10 respondents reacts to homeland security alerts, and again, the breakdown by industry serves to reinforce that point. No other industry reached 10 percent answering yes. And eight industries, including agriculture and electronics, had zero respondents who changed their practices according to the threat level.

“What can we do with a nonspecific threat?” “If it were, say, an orange alert for the supply chain, then we could take specific actions. Otherwise, we can’t be moving resources around without knowing why we’re doing it.”

Regulations don’t create security; people create security. At the same time, regulation has a purpose. Even Scott Charney, CSO of Microsoft, believes that well-crafted regulations (he used to write them when he worked for the Justice Department) can have a positive effect on information security.

Right now, the DHS’scolor-coded alert system does not identify the specific threats that the infrastructure faces. “The key is they have to be written well, and that’s not easy to do,” Charney says. “Passing a regulation that says ‘Thou shalt be safe’ isn’t useful.” Right now, the color-coded alert system does not identify the specific threats that the infrastructure faces, nor does it guide the actions of information security professionals.

Until DHS and industry leaders, in a combined effort, can define what’s supposed to happen when the light goes from yellow to orange, the threat-level warning system can only produce agitation, not information.

“The Game’s Afoot” The data from the “2004 Global Information Security Survey” shows movement in the right direction. Happily, you’ve evolved, and information security practices are slowly improving. Unhappily, the threat environment is also evolving.

Just as you’ve started to gain ground in the virus battles, spam, malicious code and confidence tricks are being designed to far more destructive ends (including extortion and theft) than simple network downtime. Phishing was so limited last year that we didn’t even ask about it. This year, 13 percent of respondents said they were affected by it.

Yes, you’re managing the viruses and other security nuisances better. But, the information infrastructure is no longer the target; it’s just the path used to get to far more profitable targets.

Perhaps this is why the “not at all confident” group of respondents ticked up from 10 percent last year to 14 percent this year.

Yes, information security improved in 2004, but this is no time to celebrate. Ever more sophisticated Dr. Moriarities are out there, lurking. For them, and for you, the game’s afoot.

http://www.csoonline.com/read/090104/survey.html

The list of security items a company probably doesn’t need within the next five years includes personal digital signatures, quantum key exchanges, passive intrusion detection, biometrics, tempest shielding (to protect some devices from emanating decipherable data), default passwords, or enterprise digital rights management outside of workgroups, according to Victor Wheatman, vice president and research area director at Gartner, based in Stamford, Conn.

“You have to be aware of what the over-hyped technologies are. You don’t need personal digital signatures, because in most cases, an electronic signature will be enough and in terms of biometrics, you won’t need that unless your company is using airplane pilots or has high-level executives that won’t or can’t remember passwords,” Wheatman said.

Wheatman also singled out “500-page security policies” and security awareness posters as things an IT manager would be better off not spending company resources on. “You do need security policies, but not ones so large that no one reads them.”

It is also important to have a business continuity plan. “We got a lot of calls when the hurricanes came through Florida, but for the most part, that was a little too late.”

IT managers need to be much more proactive about implementing systems that work correctly in the first place, rather than spending the time and money on fixing problems after the fact, Wheatman said. Software need not have flaws, Wheatman stressed, and IT managers need to challenge their vendors to make safer software, otherwise the security costs within the industry will simply continue to grow.

“We’ve been in the biggest beta test in history and this test is still going on: It’s called Windows,” Wheatman said. “Longhorn will fix some of the problems (within Windows), but it isn’t a full solution and flaws will remain. Our studies have found that it is three to five times more expensive to remove software defects after the fact. Why not get it right to begin with?” A company should demand proof that a software product it buys is safe and make sure that the vendor has reviewed the code of the software with security in mind, he said.

By 2006, Gartner is projecting that when it comes to software and hardware, a company will be spending 4% to 5% of its IT budget on security. That number could jump as high as 6% to 9% when staff and outsourcing services are factored in. But the IT departments that spend most efficiently on security, even if the expenditure is between 3% and 4% of the IT budget, could actually be the most secure, Wheatman said.

Martin Smith, the managing director for the security consultation company, The Security Company (International) Ltd. said in a separate speech that Wheatman may have been too quick to dismiss some basic items such as security awareness posters and security policies, because users need a clear framework that some of those items can provide. But he did agree with Wheatman that IT managers need to establish a roadmap for keeping IT systems secure. “In IT security, do the stuff that’s quick and easy: passwords, training and awareness in the areas that matter. We have an appalling absence of basic management metrics for our trade.”