No Time To Relax - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

07:30 PM

No Time To Relax

More U.S. companies say they're spending enough to win the information-security battle. Have companies found the right balance of risk and cost, or are they dropping their guard just as threats get more vicious?

Security threats to business-technology systems keep growing. More than 76,000 security incidents were reported in the first six months of this year, compared with about 82,000 reported for all of 2002. Despite that increase, fewer businesses this year rank security as a high priority, fewer plan to boost security spending, and a growing number say money isn't the biggest barrier to better security, according to results of the 2003 InformationWeek Research U.S. Information Security Survey.

Business-technology executives are betting that they've built the fundamental security infrastructure they need, and now it's a matter of better execution and keeping pace with the threats that get more sophisticated and damaging all the time. Does this reflect a dangerous complacency among American businesses--or good business sense?

"I wouldn't say people think they have security beat," says John Kellington, senior VP and chief technology officer at Ohio Casualty Group, a provider of business and consumer insurance with $1.7 billion in annual revenue. "But there is light at the end of the tunnel. The tools have generally gotten better to manage access and see what's occurring on networks."

Attacks Hit Systems, Not Sales

That may help to explain why 58% of the 815 business-technology professionals responding to the survey this year rank information security as a high priority, down from 72% in the 2001 survey. This year, 39% say they plan to increase security spending; last year the number was 49%. And just 16% say they have increased spending 10% or more in the past year.

The threat certainly hasn't declined. CERT Coordination Center, the federally funded security group at Carnegie Mellon University, says there were 76,404 security incidents reported in the first half of this year, compared with 82,094 for all of last year. Also, 4,129 software security vulnerabilities, nearly 80 a week, were reported to CERT in 2002. This year, the pace is similar, at nearly 77 a week.

The numbers don't tell the full story, as the threats have gotten more sophisticated. Security vendor Symantec Corp. analyzes viruses and worms that its customers provide; in the second half of 2002, nearly 80% of threats submitted were "blended threats," combination attacks that seek to take advantage of multiple software vulnerabilities to invade systems. Symantec also found a substantial increase in the number of viruses and worms that steal confidential information. In many cases, these attacks were successful even though the software holes they took advantage of were well known and could have been fixed with software patches that had been available for months.

Top Concern: LiabilityA blended attack hit last month when a variant of the original Bugbear worm, known as Bugbear.B, spread across the Internet. Bugbear.B is a complex worm that infects systems through E-mail and across vulnerable networks. It installed a tiny application that copied keystrokes, including logons and passwords, and a Trojan horse that let hackers remotely access infected computer systems. Bugbear.B also attempted to disable many popular antivirus and desktop firewall apps.

Yet, even with these sophisticated and vicious attacks, the most-likely reason companies aren't bingeing on security products anymore is that their losses are manageable. The most-common problem caused by security attacks, cited by almost half of survey respondents, is businesses applications and E-mail being unavailable, with 45% saying their networks were unavailable. That can be very costly at some businesses and merely inconvenient for many more. Only 13% say an attack resulted in unauthorized information access, while only 6% say it caused a financial loss, intellectual-property theft, or identity theft, and 4% say it caused damage to brand or reputation.

Look at Bugbear.B: Despite its menace, the worm didn't cause severe problems for companies that had reasonable security systems in place. "We had remote workers infected, and it managed to work its way onto a small part of our network," says the network administrator at an East Coast financial-services firm, who asked not to be identified. "But it didn't cause more than a few hours cleanup. The worst part was all of the calls to the help desk from people asking if they were infected who actually weren't."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 3
Comment  | 
Print  | 
More Insights
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
Register for InformationWeek Newsletters
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll