Recession: Why It Means Disaster For IT Security

Over a year ago, some security research shops began highlighting the rise of a certain set of attacks that they said were being driven by the downturn in the worldwide economy.

In addition to the most predictable set of social engineering campaigns aimed at tapping into public interest in the economic landslide, the only substantive conclusions that anyone was able to make in marrying the topics appeared to be the notion that cyber-crime was still trucking along even as other fortunes tanked.

However, since malware has been surging fairly consistently since long before the downturn ever got going, those results never seemed too convincing, or at least never garnered that much ink.

In the meantime, many analysts predicted that security spending would hold even or even slightly increase even as larger IT budgets faltered. This seemed to make a little sense, since, if you believe those same experts, security spending has been growing at a pretty commensurate rate to the rising tide of electronic attacks for at least a good few years. Reports have found that although budgets are down, hiring is up, and IT security pay is holding up.

But, some forward thinking IT security experts also began forecasting that even if dedicated spending didn’t falter, security certainly would, especially as layoffs took hold in the overall IT workforce and people like network and desktop admins, who take care of so many daily security tasks, began to see their ranks thinned out in the wake of the economy [There’s some evidence that UK public sector IT heads are letting security slide].

And now, it could get worse.

In a new survey issued by experts at consulting giant Deloitte, respondents indicated that not only do they still feel increasingly threatened by cyber-attacks, but that they are now also being forced to cut their security budgets based on outside economic forces.

According to the report, of the 200-plus IT workers surveyed, some 32 percent said that their employers reduced their information security budgets this year, while 60 percent of respondents stated that their organisations are either “falling behind” or still “catching up” to their existing security threats – a 49 percent increase compared to the results of a similar survey taken one year ago.

In a nod to the idea that security is seeing a rapid slowdown, Deloitte reported that only six percent of those surveyed said that they would attribute seven percent or more of their overall IT spend to security, compared to 36 percent in the previous batch of results. Companies are now “explicitly scaling back” their security budgets, the consulting experts contend.

In the area of adoption of newer security products, only 53 percent of respondents said they still consider their organisations to be early adopters, a downturn from 67 percent. Companies are focusing more effort on optimising solutions that are already in place rather than investing in cutting-edge technology that can be capitalised upon during economic recovery.

With fewer bodies around to man the controls, a scant 28 percent of respondents replied that they would qualify their organisations as “very confident” or “extremely confident” in relation to internal threats, down from 51 percent. Some 41 percent of the respondents admitted that they have had at least one internal security breach in the past 12 months alone.

In terms of the types of insider threats people are scared of, over 80 percent of survey respondents named “exploitation of vulnerabilities in Web 2.0 technologies” and “social engineering” techniques as a threat to their company’s information security.

OK, so it’s also fair to say that no one trusts their own people anymore. This is not going anywhere good.

“Companies that do not have a sound understanding of their security risk profile, or who under-invest in security now, may find themselves exposed to significant and increasingly sophisticated threats that they are not equipped to mitigate,” observed Irfan Saif, a principal in Deloitte’s Audit and Enterprise Risk Services group.

And the evidence would seem to indicate that this already describes a majority of organisations, not a minority.

Ach.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software.