Security threats to business-technology systems keep growing. More than 76,000 security incidents were reported in the first six months of this year, compared with about 82,000 reported for all of 2002. Despite that increase, fewer businesses this year rank security as a high priority, fewer plan to boost security spending, and a growing number say money isn't the biggest barrier to better security, according to results of the 2003 InformationWeek Research U.S. Information Security Survey.
Business-technology executives are betting that they've built the fundamental security infrastructure they need, and now it's a matter of better execution and keeping pace with the threats that get more sophisticated and damaging all the time. Does this reflect a dangerous complacency among American businesses--or good business sense?
"I wouldn't say people think they have security beat," says John Kellington, senior VP and chief technology officer at Ohio Casualty Group, a provider of business and consumer insurance with $1.7 billion in annual revenue. "But there is light at the end of the tunnel. The tools have generally gotten better to manage access and see what's occurring on networks."
That may help to explain why 58% of the 815 business-technology professionals responding to the survey this year rank information security as a high priority, down from 72% in the 2001 survey. This year, 39% say they plan to increase security spending; last year the number was 49%. And just 16% say they have increased spending 10% or more in the past year.
The threat certainly hasn't declined. CERT Coordination Center, the federally funded security group at Carnegie Mellon University, says there were 76,404 security incidents reported in the first half of this year, compared with 82,094 for all of last year. Also, 4,129 software security vulnerabilities, nearly 80 a week, were reported to CERT in 2002. This year, the pace is similar, at nearly 77 a week.
The numbers don't tell the full story, as the threats have gotten more sophisticated. Security vendor Symantec Corp. analyzes viruses and worms that its customers provide; in the second half of 2002, nearly 80% of threats submitted were "blended threats," combination attacks that seek to take advantage of multiple software vulnerabilities to invade systems. Symantec also found a substantial increase in the number of viruses and worms that steal confidential information. In many cases, these attacks were successful even though the software holes they took advantage of were well known and could have been fixed with software patches that had been available for months.
A blended attack hit last month when a variant of the original Bugbear worm, known as Bugbear.B, spread across the Internet. Bugbear.B is a complex worm that infects systems through E-mail and across vulnerable networks. It installed a tiny application that copied keystrokes, including logons and passwords, and a Trojan horse that let hackers remotely access infected computer systems. Bugbear.B also attempted to disable many popular antivirus and desktop firewall apps.
Yet, even with these sophisticated and vicious attacks, the most-likely reason companies aren't bingeing on security products anymore is that their losses are manageable. The most-common problem caused by security attacks, cited by almost half of survey respondents, is businesses applications and E-mail being unavailable, with 45% saying their networks were unavailable. That can be very costly at some businesses and merely inconvenient for many more. Only 13% say an attack resulted in unauthorized information access, while only 6% say it caused a financial loss, intellectual-property theft, or identity theft, and 4% say it caused damage to brand or reputation.
Look at Bugbear.B: Despite its menace, the worm didn't cause severe problems for companies that had reasonable security systems in place. "We had remote workers infected, and it managed to work its way onto a small part of our network," says the network administrator at an East Coast financial-services firm, who asked not to be identified. "But it didn't cause more than a few hours cleanup. The worst part was all of the calls to the help desk from people asking if they were infected who actually weren't."
More companies are successfully fending off attacks or limiting damage. Only 45% of companies in the 2003 InformationWeek security survey say they fell victim to computer viruses or worm attacks, a big decline from the 70% that reported successful attacks in the 2001 survey. The second-highest category of attack, denial of service, hit only 19% of companies. And total annual losses from security breaches have plummeted from about $456 million in 2001 to around $202 million in 2002, according to the 2003 Computer Security Institute/FBI Computer Crime and Security Survey.
Another change is that more money for IT security products and people aren't seen as the only answer. For the past two years, almost 60% of respondents to the InformationWeek survey cited capital expense as one of the most significant barriers to IT security. This year, 44% do. Another barrier to effective security, lack of time, fell from 51% last year to 37% this year.
But the battle to secure IT systems is far from over. Some 49% of managers say the most significant barrier to effective security is the increasing sophistication of threats. In January, the SQL Slammer worm slowed Internet performance and infected roughly 75,000 systems in about 10 minutes. It was the fastest-spreading worm in history and resulted in $1 billion in damage and cleanup costs globally, according to some security experts. In February, Data Processors International, a company that processes credit-card transactions, had its systems breached and may have had as many as 8 million credit-card numbers stolen. And late last year, an insider at Teledata Communications Inc. allegedly accessed credit files of more than 30,000 consumers, which included customers of Ford Motor Credit.
Despite these high-profile incidents, it appears the reduction in successful attacks and losses caused by those attacks has prompted some companies to shift their priorities from buying security systems to better managing the ones they have. "The initial security big bang, where companies came in and established their policies and made big security purchases, may be over," says Bill Stevenson, information-security officer with New Century Mortgage Corp., a residential mortgage-services company. "Many companies may be focusing on managing security and auditing their systems."
Tighter IT budgets play a role in shifting priorities as well. "People can't keep throwing money at the security problem. The strategies have to change," says John Pescatore, a Gartner research director. The IT advisory firm estimates companies will spend, on average, 5.4% of their IT budgets on security in 2003. "Next year, a lot of companies are going to ask if they really need to get to 6% or 10%. Many companies will conclude they've gotten to the right level. A lot of companies are going to decide that they've thrown a lot of stuff at security and that they now have the right balance."
As companies get a clearer understanding of the threats and costs, they're better able to measure the value of security systems and weigh that spending against other initiatives. "From a budgeting point of view, security is just another part of the IT budget, and it's competing hard for high priority along with everything else," says Lloyd Hession, chief information-security officer for Radianz, a network-services provider for financial-services companies.
Many executives characterize the transition not so much as a drop in security's importance but as an increase in companies' preparedness. "I've not seen a drop in priority here," says John Hartmann, VP for security and corporate services at Home Depot Inc. "In recent years, there was a significant ramp up, and people spent more time and attention on security. Now security is more in place in a lot of organizations."
The survey results support the proposition that most companies have the fundamentals of security in place. Most of them have network firewalls (81%) and antivirus software (79%) and are using VPNs (71%), access management, and other security applications. As a result, businesses may believe they've invested heavily in security and are reluctant to keep up the pace of spending. "2002 was also a pretty slow economic year, and it just makes sense that security spending increases would drop in line with that," Hartmann says.
As companies weigh advanced security against other IT-intensive projects, many don't see security delivering higher revenue. Security experts say that's why many businesses' spend as little as possible on IT security. Yes, some companies have invested in the latest security gear, such as centrally managed personal firewalls, application firewalls, and security-event monitoring applications. But they're in the minority. "The business guy is asking: 'What's the downside of not spending heavily on security?'" Radianz's Hession says. "Unless you're heavily regulated, you don't have a compelling business driver to spend on security. If you ask people at regulated companies how much they're spending on security, they'll tell you that they're spending the least amount of money possible so the regulators won't shut them down."
Regulation is the fastest-growing reason for security spending--59% cite legal or regulatory requirements as a justification, up from 49% last year. New federal and state regulations, such as the Health Insurance Portability and Accountability Act and California's security-disclosure law, cover the protection of customer information and reporting of security breaches, forcing some businesses to spend more. The only reason cited more often is liability, which at 70% is about the same as last year. Just 41% of survey respondents cite a potential revenue impact as justification, down from 48% last year. About a quarter cite a partner or vendor requirement.
Most companies haven't deployed more-sophisticated security applications outside of basic firewalls and virus-detection software. Only 32% have intrusion-detection systems, 34% have personal or user firewalls, 43% monitor employee Web usage, 30% have application firewalls, and 23% use vulnerability-assessment tools. Those numbers have changed little in the past two years. In addition, only 28% conduct security training for systems and network administrators, and only 23% have a security-awareness campaign, a keystone to any well-designed security program. The number of companies providing security training and conducting security-awareness programs has declined in the past two years, survey results show.
Companies that have spent heavily on advanced security now face the challenge of making those systems work effectively. Firewalls and intrusion-detection systems can generate a flood of alerts and other kinds of data, so the increasingly important task is finding the serious threat among thousands of minor alerts. That's why some buy applications to help them manage their security systems and analyze the data they produce.
By using Addamark software, Lehman VP Engle focuses on getting a better understanding of security-related network data
Photo by Evan Kafka/Redux
The large volume of security data made it difficult to respond when a Lehman business unit asked for information about something that may have occurred on the network. Engle or his staff had to spend hours searching logs for the answer. "One query I performed on proxy logs took eight hours to complete," he says. Using Addamark Technologies Inc.'s Omnisight to consolidate security- and application-activity logs, Engle says, research that took hours can be completed in minutes.
Whether it's better management or better tools, IT security will always be a balancing act between risk and cost. After several years of fast-growing security budgets, there's a marked change in executives' attitudes--they believe they've at least caught up to the threats that face company networks. "Management is now placing bets that it's better to spend IT dollars on things other than security," Radianz's Hession says. "And there haven't been many events to show that that's a bad bet for most companies."
Of course, that could change if business networks and information systems are successfully attacked and damaged by new, unforeseen threats. An attack that results in crashed systems for a long period of time or the very public theft of confidential customer data could get executives pushing security higher up on the urgent list--and opening their wallets all over again.
Illustration by Richard Downs