Internet Attack Fears Keep IT Security Spending on the Menu

A survey from Finjan says 25 percent of security pros admit their organizations have experienced a security breach, and many others aren't sure. With many security pros expecting their budgets to go up in 2009, data protection and other security technologies remain key spending items for businesses.

Businesses are afraid of cyber-crime, and rightly so, as a survey of nearly 1,400 IT security professionals by Finjan found 25 percent admitted experiencing a security breach at their company.

Another 42 percent could not rule out the possibility that their data had been breached. The statistics, contained in Finjan's "Web Security Survey 2008" report, come on the heels of a survey by Forrester Research that found about 96 percent of IT security pros expect their budgets to either increase or stay the same in the coming year.

Taken in combination, the two studies underscore the attitudes behind the growing emphasis on IT security among businesses. In the Forrester study, which features responses from more than 1,200 North American security decision makers, 21 percent of respondents said they expect their IT security budgets to increase in 2009. Nearly 75 percent expected the budget to remain the same, while the remainder predicted cuts.

Alex Jablenski, IT security team leader for Philips Healthcare, said his company's Philips Lifeline division will see its security budget jump 33 percent in 2009.

"In 2009 we will be purchasing more IPS [intrusion prevention system] devices," Jablenski said. "As we gain better understanding of the various threat scenarios it has become apparent that large-scale network-type attacks have taken a backseat to ... customized time-blended attacks against entities perceived to contain or have access to sensitive financial data.

"We have also seen a vast increase in social exploit attempts, mostly in the form of phishing requests," he continued. "Lastly we have seen how unencrypted data which has been lost due to misplacement or theft has been consequently used later for illegal purposes. For those reasons, while we maintain a strong defensive posture toward wire attacks, we have turned our attention to addressing the more elusive aspects of IT security such as data encryption while at rest and anti-social-engineering education of our employees."

When separated by vertical, the respondents to the Finjan study still expressed largely similar beliefs regarding whether or not they had experienced a breach. Forty-five percent of those working in the health care sector and 43 percent working in the finance and banking industries said their organizations had never been breached. In the government sector, however, that number dropped to 32 percent.

About 73 percent of the respondents in the Finjan survey listed data theft as a top concern. Perhaps correspondingly, more than half of the respondents to the Forrester Research survey counted data protection as their top priority for 2009.

"People mean different things when they say data protection, but it typically translates into encryption and DLP [data loss prevention]," said Forrester Research analyst Khalid Kark.

However, Kark said, "The corporate cultures are changing, [and] boards and executive managers are realizing that technology is only part of the solution. Security is all about people and adjusting the culture of the organization."