Internal Threats Justify Increase in Security Spending

On average, only 0.4 percent of a company’s revenue is dedicated to information security in the United States, but Gartner expects that figure will increase by 10 times to 4 percent of revenue for U.S. companies by 2011.

“While email viruses and international espionage steal the media limelight, the palette of security issues spans every business process, application and desktop,” said Roberta Witty, Gartner research director. “Responsible security practices begin with business planning and carry through to the technology purchasing, implementation and improvement stages. After all, there’s no sense investing in locks if you’ve built your house out of paper.”

Gartner predicts that by 2004, 80 percent of enterprises will be using the Internet as an integral part of their business processes. Half will experience a financially significant loss due to Internet-borne incidents by that time.

“Open supply chain communications will explode over the Internet over the next two years,” Witty said. “Enterprises will save a lot of money and headaches if they address their total security plans now.”

One way to address security is through managed security service providers (MSSP), which are enjoying ferocious growth as clients realize the benefits of outsourcing information security. According to a report by Frost & Sullivan, the MSSP industry generated $165.8 million in 2000 and is projected to surpass $2 billion by 2007.

“Clients are expected to outsource security in droves as they begin to realize that no magic plug-and-play security solutions exist,” said Jason Wright, security technologies program leader at Frost & Sullivan. “The market will be established with remarkable speed, reaching maturity before 2007.”

MSSPs have even received interest from enterprise-sized clients, which were initially assumed to have the desire and resources to keep security as an in-house operation. The financial sector has emerged as the early adopter, closely followed by government, and distantly followed by healthcare, insurance, manufacturing and even the entertainment industry.

While outsourcing may be an efficient way to deal with security problems, a survey by security software developer Camelot and eWEEK found most security breaches originate in-house. The survey found that authorized users, such as employees, contractors and consultants, commit the majority of security breaches at companies.

Among the findings of the Camelot/eWEEK survey:

  • 57 percent of respondents cited users accessing resources they shouldn’t be entitled to as a cause of network security breaches
  • 43 percent of respondents indicated security breaches were caused by user accounts left open after an employee has left the company
  • Nearly half of the companies surveyed are increasing the budget for network security software and hardware
  • One in three companies has an annual budget specifically allocated to maintain and/or upgrade a network security system. Of those companies, 40 percent have an annual budget of at least $100,000 for network security systems.
  • Close to half of the respondents plan to upgrade their network security system

“The results of the survey pinpoint a major Achilles heel too often unknown or underestimated by corporations. The recently publicized external hacks represent a very small portion of the constant infringements a network endures daily,” said Yuval Baharav, president and CEO of Camelot. “Too often, ‘authorized’ user behavior goes unchecked. In an era of downsizing, mergers and acquisitions, proprietary information is at risk. This issue, when combined with growing corporate networks while protecting privacy, represents a serious challenge. Our research shows that management is concerned about who is accessing company resources and reconsidering how security permissions are granted.”

The Camelot/eWEEK survey is based on 548 online surveys completed by business and IT decision makers among a sampling of eWEEK subscribers.

Related reading