Investments in Security Technology?What is the Real State of Play?
By Fran Howarth, Partner
Every year, the UK?s Department of Trade and Industry surveys businesses in the UK in conjunction with PricewaterhouseCoopers to find out what security controls they have in place. And the results inevitably show that most are not doing enough to protect their businesses?even though security investments are increasing. This is rather worrying considering that the UK is considered to be among the earlier adopters of new technologies in Europe.
Virtually all companies surveyed in the 2006 survey that has just been released have made some investment in security technologies, with basic technologies such as anti-virus protection in use at almost every business. Of these, the majority take viruses seriously, managing updates carefully to ensure that investments pay off. A full 90% implement security updates to their operating systems within a week of the release of the update and investments in threat control technologies such as intrusion prevention systems is increasing.
Spending on security low?even though they know the risks
But whilst three-quarters of respondents said that security was a major issue to be taken seriously, the average UK firm spends just 4% to 5% of its IT budget on security?and roughly 40% spend less than 1%. At the same time, outsourcing of IT operations is increasing?up from 40% of all companies outsourcing some of their IT in 2002 to 53% in 2006. When operations are entrusted to a third party, the need to boost security controls is even more urgent.
Companies agree that compliance, integrity and availability are key drivers for security expenditure, with the data protection act being a key driver in compliance across Europe. However, the survey results show that the majority of firms are not doing enough to prevent breaches that would be in contravention of regulations or that could cause sensitive information to be leaked or altered, ruining a firm?s integrity. For example, just two-fifths of companies that allow remote access to their networks encrypt electronic business transactions and just one in six scans outbound emails for inappropriate content that could harm their reputation or see intellectual property leaked. Further, 55% of respondents report that they have no control over removable media such as USB dongles being used and two-fifths have no control over instant messaging use by employees?both of which pose threats to sensitive information leaking out or unwanted problems seeping in.
Companies complacent on tying down access control
Key to ensuring security and preventing information getting into the wrong hands is the ability to prevent unauthorised access to data and applications residing on corporate networks?especially considering that the number of incidents related to unauthorised access is increasing and the amount of damage caused is rising. In 2006, respondents reported that one in eight incidences of confidentiality of information being breached led to the company suffering adverse publicity in the media, thus harming their corporate reputation?compared to none in the 2004 survey.
In terms of identity and access management, the picture is indeed bleak, with a paltry 1% of firms having achieved a comprehensive approach to identity management, including authentication, access control and user provisioning. But investments are increasing?albeit in a piecemeal fashion. For example, the proportion of companies that have automated their user provisioning function has increased from just 3% in 2004 to 8% in 2006.
Vendors need to focus more closely on business vulnerabilities
Across the board, firms in the UK appear to understand clearly the issues associated with basic security controls and technologies, but few appear to have a handle on the business risks associated with who is doing what to business information. For many, the realisation of what damage can be caused to their businesses will only dawn when it is too late and a serious problem has occurred. And the likelihood of reports of serious incidences increasing dramatically is high as criminals targeting electronic networks continue to become more sophisticated?the art of hacking has involved from a situation where the key driver for hackers was fame and notoriety to one where financial gain is the prime motivator. Yet 84% of respondents to this survey say there is no business requirement for them to improve their identity and access management capabilities.
One of the key issues here appears to be that companies are being blinded by science?technology vendors focus too closely on describing the technical foundations of their widgets and applications. But what companies really need explained to them are the vulnerabilities that they are likely to face. Technology vendors need to focus more closely on describing the benefits that their customers are seeing from their security investments. With companies increasingly worried about regulatory compliance and information integrity, many vendors need to go back to the drawing board and rethink their marketing messages to more clearly focus on what their customers actually need. Areas in which the greatest opportunities exist include creating greater awareness of the importance of identity and access management, digital rights management and device control.