Businesses are suffering more downtime as the threat from viruses and worms continues to grow
There's bad news on the information-security front. Hackers and virus writers are gaining ground again. Despite more spending on security technology, attacks are up for the first time in three years and downtime has increased. Business-technology and security managers are growing increasingly frustrated with flawed software that leaves openings for worms and viruses and want software vendors held legally and financially liable for security vulnerabilities in their products.
Security breaches and malicious code are more of a threat this year than last year, according to 81% of the 7,000 business-technology and security professionals from more than 40 countries who participated in the InformationWeek Research 2004 Global Information Security Survey. "It's the sheer volume of virus and worm attacks" that has caused much of the damage, says Tamara Schwartz, applications manager for information services at logistics and package-delivery company United Parcel Service Inc.
The costs are high. Research firm Computer Economics calculates that viruses and worms cost $12.5 billion worldwide in 2003. The U.S. Department of Commerce's National Institute of Standards and Technology says software flaws each year cost the U.S. economy $59.6 billion, including the cost of attacks on flawed code.
As a result of the growing number of attacks, downtime is up. The number of companies worldwide that report downtime of four to eight hours because of attacks increased from 18% to 22% year over year. Those experiencing eight to 24 hours of downtime also rose from 18% to 22%. And the number of companies that say their systems were down for one to three days because of attacks increased from 7% in 2003 to 16% in 2004. More businesses are suffering. In 1998, 50% of those surveyed reported no attack-related downtime. This year, only 6% make such a claim.
"I don't think you can find a company, any company, that doesn't see a growing risk. Intrusions and incursions are up in every business," says C. Michael Armstrong, the former CEO of AT&T who's now chairman of the security task force of the Business Roundtable, an association of U.S. CEOs, and a director for Comcast Corp., a cable TV and Internet service provider.
The problem is getting worse as the bad guys find more ways to infiltrate business-technology systems. As more businesses deploy peer-to-peer networks, instant messaging, wireless local area networks, and extended supply chains and provide an increasingly dispersed workforce with more mobile devices and ways to access systems remotely, there are more avenues than ever for hackers, worms, and viruses to penetrate computer systems and networks. "It's insane," says Randy Oehrle, network administrator for the city of Overland Park, Kan.
That helps explain plans to boost spending on security. Currently, survey respondents spend an average of 12% of their IT budgets on security, up from 8% in 2002, and roughly 60% plan to spend more dollars on security in the year ahead. Just 5% plan to decrease security spending.
Two major problems, according to survey respondents and interviews with more than a dozen security professionals, are flawed software applications and weak security tools.
The Business Roundtable, whose 150 members include General Motors, 3M, and Xerox, earlier this year called on the builders, buyers, and users of technology to focus more on security. The group, however, said the software industry had a special responsibility. Software vendors "have been strengthening their testing and they have escalated this as a priority," Armstrong says. Still, he doesn't believe that "the software providers are doing as much as they should be doing."
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.