InformationWeek

Samir Bhavnani, a research analyst at Computer Economics, calls ILOVEYOU "the worst act of economic terrorism we have seen in the digital economy." But that infamous infestation is just one of the most recent in a wave of viruses, denial-of-service attacks, and site spoofs to strike businesses--and the costs are racking up. In North America, businesses forfeited a total of about 6,822 person-years (defined as one person working a 24-hour-day, 365-day shift) in productivity in the last 12 months, due to security breaches, downtime, and virus-attack cleanups, according to Reality Research & Consulting, which assisted InformationWeek Research and PricewaterhouseCoopers in our annual Global Security Survey. Worldwide businesses also experienced about 3.3% of unplanned downtime in the last year, which translates to a whopping $1.6 trillion in lost revenue.

For businesses trying to protect themselves, there are big challenges. It's expensive, both in terms of capital and skilled labor, to secure networks, mobile workers, and E-commerce operations. Security staffs are being asked to deploy a growing number of security applications, which by their very nature are complex. For many security professionals--already spread thin--there's not enough time to design and implement the processes that will ensure these protective measures live up to their potential.

"If you're managing the security of a large network and trying to do it right, it can be daunting, if not humanly impossible, to keep up with it all," says Robert Paszko, intrusion-response and -vulnerability manager with DuPont & Co. The Wilmington, Del., manufacturer has deployed intrusion-detection products, firewalls, and other security software over a network of more than 100,000 clients and servers in 135 sites.

Businesses are tuned in to the problem. In this year's Global Security Survey, 71% of the 4,900 executives, security professionals, and technology managers who responded rank information security as a high priority for their businesses. That's up from 60% last year and 56% two years ago. But only 38% of the respondents say their security policies are very well aligned with their business goals. Forty-five percent say their security policies are somewhat aligned with business goals, and 17% say the two don't mesh at all.

"That fundamentally means over 60% of companies are simply patching security onto their systems, essentially doing nothing," says Frank Prince, senior security analyst at Forrester Research. Reactively tossing security measures at a network isn't going to make it secure, he says. Companies that do that aren't taking the time to classify what information is most valuable, and thus are in need of the highest security, he says. Indeed, the Internet data deluge seems to be having an effect on business' ability to handle that task: Only 33% of survey respondents say they have a security policy that includes information classification, down from 52% last year.

At some companies, the situation is worse. Dot-com startups talk about the need for secure IT environments, but they don't always get high scores for backing up that talk. "I see companies ignoring every single layer of security," says Michael VanDercreek, director of Web infrastructure for online hosiery retailer Gazelle.com Inc. in Stamford, Conn. "I've seen people completely ignore their firewalls. They're running with no rules blocking access whatsoever."

What these companies fail to realize, says Mark Lobel, senior manager for PricewaterhouseCoopers Technology Risk Services, is that security is a bottom-line issue, even if it's not as easily quantified as earnings. Downtime related to security breaches or espionage has steadily increased since the first InformationWeek Research/PricewaterhouseCoopers survey in 1998. That year, half of respondents said they suffered no downtime for these reasons, but that dropped to just 36% in 1999 and 26% this year. Companies need to understand that downtime is money down the drain, Lobel says. "It's revenue they never see but revenue that could be added."

Not everyone has figured this out yet. "Companies always say security is important, but the effort doesn't track with that level of understanding and importance," says Tom Patterson, managing director of the E-commerce transactions practice at KPMG Consulting. Some companies, Patterson says, "think that if they've ever purchased a virus scanner they must have brilliant security."

That's an overstatement, but it's a legitimate point. Fewer than half the respondents to our survey have moved to the most sophisticated levels of security: defining a security architecture, implementing intrusion-detection tools, or establishing a review and assessment program, for example. Just over 30% of companies that rank security as a high priority even have a written security policy that outlines objectives. The surveyed group also reports that enforcement standards, monitoring standards, risk analysis, and security procedures for partners and suppliers aren't as well represented in their security policies as basics such as appropriate E-mail usage.

Inchoate and even slapdash security measures can be found in large and small companies alike. "If you took a close look at the Fortune 500, probably half wouldn't have the security programs you'd expect," says David Remnitz, CEO of information security firm IFsec LLC.

Half the companies surveyed spent $50,000 or less last year on information security--that's less than the annual tally one might expect for a CEO's expense report. Almost half the businesses with annual revenue exceeding $500 million spent upward of $500,000 on security, but, depending on the value of their data, even that may not be enough, says Forrester analyst Prince. "If companies don't know the value of the information and how it relates to their overall business model, how can they decide how much they should justifiably spend to secure it?"

Some companies, with reason, blame the IT worker shortage for the shortcomings in their security setups. Newmont Mining Corp., one of the world's largest gold producers, in Denver, says it's having trouble finding qualified security staff. "There just aren't enough people out there to go around," says senior network architect Daniel Kesl. Almost 40% percent of the survey respondents say finding staff resources will be a key security priority in the next 12 months.

Gazelle.com's VanDercreek says some companies forced to operate at Internet speed wind up using general-purpose staff to do a specialist's job. "E-commerce sites are being implemented by IT people not experts in all areas of network architecture," he says. "They end up doing stupid things like installing the database server and continuing to use default passwords after the site is in production."

continued...page 2, 3