News

Compliance, New Threats Drive Security Spending

Pity U.S. IT organizations. Not only must they grapple with rising regulatory and compliance costs, but many are coming to grips with another rising cost: security. Enterprise security is an expensive proposition, one that's likely to get even more expensive as organizations take further steps to protect themselves.

The good news, according to a new survey from security software vendor CA Inc., is that all of that money seems to have been well-spent.

CA's latest Security and Identity Access Management (IAM) Survey found an overall decrease in the number of organizations that reported virus, network and denial of service (DoS) attacks last year.

What's more, CA indicated, almost 15 percent of shops said they hadn't experienced (known) attacks of any kind. That's up from 11 percent in 2006.

That figure includes virus outbreaks. Last year, almost 60 percent of enterprises grappled with virus attacks, down from almost 70 percent in 2006. Meanwhile, just 40 percent of U.S. enterprises battled network attacks last year; that's down from half of all shops in 2006.

DoS attacks appear to be on the wane; just over a quarter (26 percent) of organizations were victims of DoS activity in 2007, CA said. That's a steep decline from 2006's tally of 40 percent.

Even as IT organizations have clamped down on traditional attack vectors, they're increasingly coming to grips with another line of attack: breaches from within.

According to CA, the percentage of survey respondents who experienced internal security breaches increased slightly from its 2006 survey, climbing to 44 percent in 2007 (an uptick of 2 percentage points). That's a sharp spike from half-a-decade ago, when less than one-sixth of IT organizations experienced an internal breach.

"The increase of internal threat also appears to be making it more difficult for organizations to successfully manage and contain the costs associated with security attacks/breaches," the CA survey said.

Serious Breaches
The numbers paint a grim picture. In 2007, more than a third of organizations reported losing confidential customer or transactional data as a result of security breaches; that compares with just 22 percent two years ago.

What's more, internal breaches have disastrous real-world consequences, in terms of both costs and irate customers. According to the CA survey, one-third of organizations say they suffered reduced customer satisfaction as a result of breach or attack, while almost two-thirds (61 percent) experienced diminished productivity. This, of course, plays to one of CA's product categories: IAM.

"U.S. businesses and governments recognize it doesn't take much to shake consumer confidence, and they recognize the need to do all they can to assure consumers and constituents," said Lina Liberti, vice president, CA Security Management, in a statement. "As the growth of security threats change from external attacks [such as] distributed denial of service to the insider threat, businesses are turning to identity and access management solutions to combat that internal threat. This survey indicated that the number of organizations planning to roll out identity and access management solutions in the next 12 to 18 months increased 11 [percentage points], moving from 49 percent in 2006 to 60 percent in 2008."

Increasingly, a majority of organizations are devoting the bulk of their IT spending to security compliance. In 2007, for example, four-fifths of survey respondents reporting spending 10 percent or more of their IT budgets on security compliance, while more than half (56 percent) said that their firms spend 20 percent or more of their IT dollars on security compliance.

Over time, security budgets will gobble up an ever-larger share of overall IT spending, according to CA officials.

"The survey points to an increase in the severity of consequences of internal breaches. The implications are now tied squarely to dollars and reputation," Liberti said. "The potential aftershocks of an internal breach [have] the attention of both the business and IT, and for enterprise organizations the priority has now shifted from reactive to proactive security strategies to deal with this threat."

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.