Financially motivated targeted attacks are becoming more prevalent and new vulnerabilities continue to be reported, but 90 per cent of these attacks can be avoided without requiring any increase in security spending, according to Gartner, Inc. However, ensuring one’s organisation is not part of the 10 per cent requires implementing security processes to monitor and manage vulnerabilities and provide strong identity and access management capabilities.
 
Gartner analysts will discuss the critical technology and organisational “dos and don’ts” for successful organisation-wide security at Gartner Symposium/ITxpo 2007, which is taking place in Cannes on 4-8 November.
 
“The biggest attack risk to organisations comes from targeted attacks,” said John Pescatore, vice president and distinguished analyst for Gartner Symposium/ITxpo. “In addition, phishing and identity theft attacks have caused the rise of ‘credentialed’ attacks, in which the attacker uses the credentials of a legitimate user.” Gartner analysts estimate that the cost of sensitive data break will increase 20 per cent per year through 2009.
 
“Malicious software (malware) attacks also allow internal executables to be used to forward information to an external attacker,” Mr Pescatore said. “Being aware of ‘inside out’ communications and being able to block those as effectively as ‘outside in’ is becoming increasingly important. Security strategies must reduce the cost of dealing with mass attacks to free up investment and personnel resources to evolve capabilities for dealing with these more-complex targeted attacks.”
 
While mass attacks such as worms and viruses have continued, the investments that enterprises have made in intrusion prevention, vulnerability management and network access control have paid off, as those simple mass attacks have succeeded much less often. However, the attackers are now more financially motivated and have launched new waves of attacks that, when successful, cause enormous damage to the bottom line, but that often go unreported.
 
Gartner says that the average organisation is spending more than 5 per cent of the IT budget on security and close to 12 per cent, if disaster recovery spending is included. However, Gartner has seen little or no correlation between organisations that spend the most on security and organisations that are the most secure. While there are definite areas that require additional investment, there are just as many areas of security that can be done more efficiently.
 
“The most effective ways to become more secure while reducing security spending are to avoid vulnerabilities — to ensure that security is a top requirement for every new application, process or product, whether built in-house or acquired from a vendor,” said Ray Wagner, managing vice president for Gartner Symposium/ITxpo. “Just as important is understanding where security funds are being spent and where that spending is effective or ineffective. Security metrics should be established for all major security spending areas.”
 
The approach to security needs to move from a reactive approach to a mix of strategic planning and rapid tactical execution. “The key is to identify major technology changes and start taking steps to reduce the cost of dealing with today’s mature threats — viruses, worms and denial-of-service attacks — to free up funding and manpower to influence the new systems and business processes that are being built today and that will bring on the next generation of threats,” said Mr Pescatore.