Tough Economy Never Good for Security
Over a year ago, some security research shops began highlighting the rise of a certain set of attacks they said were being driven by the downturn in the worldwide economy.
In addition to the most predictable set of social engineering campaigns aimed at tapping into public interest in the economic landslide, the only substantive conclusions that anyone was able to make in marrying the topics appeared to be the notion that cyber-crime was still trucking along even as other fortunes tanked.
However, since malware has been surging fairly consistently since long before the recession ever got going, those results never seemed too convincing, or at least never garnered that much ink.
In the meantime, many analysts predicted that security spending would hold steady or slightly increase even as larger IT budgets faltered, which seemed to make a little sense, since, if you believe those same experts, security spending has been growing at a rate pretty commensurate with the rising tide of electronic attacks for at least a good few years.
But, some forward-thinking IT security experts also began forecasting that even if dedicated spending didn't falter, security certainly would, especially as layoffs took hold in the overall IT work force and people like network and desktop admins, who take care of so many daily security tasks, began to see their ranks thinned out due to the economy.
And now, it could get worse.
In a new survey issued by experts at consulting giant Deloitte, respondents indicated that not only do they still feel increasingly threatened by cyber-attacks, but they are now also being forced to cut their security budgets based on outside economic forces.
According to the report, of the over 200 IT workers surveyed, some 32 percent said their employers reduced their information security budgets in 2009, while 60 percent of respondents stated that their organizations are either "falling behind" or still "catching up" to their existing security threats -- a 49 percent increase compared with the results of a similar survey taken one year ago.
In a nod to the idea that security is seeing a rapid slowdown, Deloitte reported that only 6 percent of those surveyed said they would attribute 7 percent or more of their overall IT spending to security, compared with 36 percent in the previous batch of results. Companies are now "explicitly scaling back" their security budgets, the consulting company contended.
In the area of adoption of newer security products, only 53 percent of respondents said they still consider their organizations to be early adopters, a downturn from 67 percent. Companies are focusing more effort on optimizing solutions that are already in place rather than investing in cutting-edge technology that can be capitalized upon during economic recovery.
With fewer bodies around to man the controls, a scant 28 percent of respondents replied that they would qualify their organizations as "very confident" or "extremely confident" in relation to internal threats, down from 51 percent. Some 41 percent of the respondents admitted that they have had at least one internal security breach in the past 12 months alone.
In terms of the types of insider threats people are scared of, over 80 percent of survey respondents named "exploitation of vulnerabilities in Web 2.0 technologies" and "social engineering" techniques as a threat to their company's information security.
OK, so it's also fair to say people don't trust their own people anymore. This is not going anywhere good.
"Companies that do not have a sound understanding of their security risk profile, or who under-invest in security now, may find themselves exposed to significant and increasingly sophisticated threats that they are not equipped to mitigate," observed Irfan Saif, a principal in Deloitte's Audit and Enterprise Risk Services group.
And the evidence would seem to indicate that this already describes a majority of organizations, not a minority.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.