Compliance, New Threats Drive Security Spending

Pity U.S. IT organizations. Not only must they grapple with rising regulatory and compliance costs, but many are coming to grips with another rising cost: security. Enterprise security is an expensive proposition, one that's likely to get even more expensive as organizations take further steps to protect themselves.

The good news, according to a new survey from security software vendor CA Inc., is that all of that money seems to have been well-spent.

CA's latest Security and Identity Access Management (IAM) Survey found an overall decrease in the number of organizations that reported virus, network and denial of service (DoS) attacks last year.

What's more, CA indicated, almost 15 percent of shops said they hadn't experienced (known) attacks of any kind. That's up from 11 percent in 2006.

That figure includes virus outbreaks. Last year, almost 60 percent of enterprises grappled with virus attacks, down from almost 70 percent in 2006. Meanwhile, just 40 percent of U.S. enterprises battled network attacks last year; that's down from half of all shops in 2006.

DoS attacks appear to be on the wane; just over a quarter (26 percent) of organizations were victims of DoS activity in 2007, CA said. That's a steep decline from 2006's tally of 40 percent.

Even as IT organizations have clamped down on traditional attack vectors, they're increasingly coming to grips with another line of attack: breaches from within.

According to CA, the percentage of survey respondents who experienced internal security breaches increased slightly from its 2006 survey, climbing to 44 percent in 2007 (an uptick of 2 percentage points). That's a sharp spike from half-a-decade ago, when less than one-sixth of IT organizations experienced an internal breach.

"The increase of internal threat also appears to be making it more difficult for organizations to successfully manage and contain the costs associated with security attacks/breaches," the CA survey said.

Serious Breaches
The numbers paint a grim picture. In 2007, more than a third of organizations reported losing confidential customer or transactional data as a result of security breaches; that compares with just 22 percent two years ago.

What's more, internal breaches have disastrous real-world consequences, in terms of both costs and irate customers. According to the CA survey, one-third of organizations say they suffered reduced customer satisfaction as a result of breach or attack, while almost two-thirds (61 percent) experienced diminished productivity. This, of course, plays to one of CA's product categories: IAM.

"U.S. businesses and governments recognize it doesn't take much to shake consumer confidence, and they recognize the need to do all they can to assure consumers and constituents," said Lina Liberti, vice president, CA Security Management, in a statement. "As the growth of security threats change from external attacks [such as] distributed denial of service to the insider threat, businesses are turning to identity and access management solutions to combat that internal threat. This survey indicated that the number of organizations planning to roll out identity and access management solutions in the next 12 to 18 months increased 11 [percentage points], moving from 49 percent in 2006 to 60 percent in 2008."

Increasingly, a majority of organizations are devoting the bulk of their IT spending to security compliance. In 2007, for example, four-fifths of survey respondents reporting spending 10 percent or more of their IT budgets on security compliance, while more than half (56 percent) said that their firms spend 20 percent or more of their IT dollars on security compliance.

Over time, security budgets will gobble up an ever-larger share of overall IT spending, according to CA officials.

"The survey points to an increase in the severity of consequences of internal breaches. The implications are now tied squarely to dollars and reputation," Liberti said. "The potential aftershocks of an internal breach [have] the attention of both the business and IT, and for enterprise organizations the priority has now shifted from reactive to proactive security strategies to deal with this threat."

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.


  • The Case for In-Application Backups

    Application-integrated backup tools should never replace conventional backups, but they have their place.

  • Microsoft Uniting OneDrive and SharePoint Admin Portals Next Month

    Microsoft is converging its OneDrive and SharePoint Admin Center management portals, with a consolidated portal expected to arrive for Microsoft 365 subscribers "through February."

  • Phishing Tops Concerns in Microsoft Study of Remote Work

    Potential phishing attacks were a top concern of most IT security professionals when organizations switched to remote-work conditions early last year.

  • How To Configure Windows 10 for Intel Optane Memory

    Intel's Optane memory technology can significantly improve the performance of your Windows 10 system -- provided you enable it correctly. A single mistake can render the system unbootable. Here's how to do it the right way.

comments powered by Disqus