Scaling back security spending is short-sighted

Security threats have changed in recent years, with one fundamental difference being that the motives for breaches have multiplied.


Have you been paying attention?

Security threats around the world have changed over the past few years. One of the fundamental differences is that the motives for security breaches have multiplied.

Where once they were almost entirely a criminal means of monetary gain, today they are also driven by international tensions, ideological vigilantism and the desire to embarrass organisations and governments, with individuals, groups and even countries using electronic means as a form of aggression.

Who knows what groups like Anonymous, AntiSec and LulzSec will target next? Who knows what other countries or nationally focused groups might target national interests, public or private, using cyber sabotage and warfare techniques, such as those reportedly set in motion by Stuxnet.

Recent examples of companies, organisations and websites that have been hacked include Booz Allen Hamilton, the CIA, Citigroup, Epsilon, Google, Honda, the IMF, Lockheed Martin, NASA's Jet Propulsion Laboratory, NASDAQ, PBS, the Pentagon, RIM's BlackBerry blog, RSA, Sony and the US Senate.

On Aug. 2, security vendor McAfee released a white paper in which threat researcher Dmitri Alperovitch chronicled a hacking campaign dubbed Operation Shady RAT that penetrated 72 organisations in 14 countries over the past five years.

Alperovitch wrote: "I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact."

McAfee competitors Kaspersky and Symantec criticised the report for implying that the Shady RAT hackers had done something sophisticated and out of the ordinary. While that suggests that security vendors are more concerned with outdoing one another than with showing how their systems can protect enterprises, no one is disputing that long term hacking not only exists but is commonplace.

Symantec researcher Hon Lau claimed that "while [the Shady RAT] attack is indeed significant, it is one of many similar attacks taking place daily. Even as we speak, there are other malware groups targeting many other organisations in a similar manner."

Still not convinced that your company is surrounded by a rising tide of security threats? In its May 2011 report on worldwide and US security, IDC said that enterprises "already know that antivirus tools don't work against advanced persistent threats (APTs) and other malicious threats and that they are vulnerable to becoming part of the 70% of organisations that have been breached in some way.... The changing and persistent nature of those with malicious intent makes it very challenging to stay ahead of security threat management."

IT organizations need to rethink their security protections, and especially their assumptions about who and where threats come from and what may be motivating them. Five year old assumptions could easily get a company into trouble.

As if all that were not enough to contend with, IT budgets are tight at many companies. Here, then, are two considerations to keep in mind as you head into budget season: First is the question of how much a security breach would cost your company. Second is the fact that seven out of 10 companies have already experienced a security breach.

"Recommended For You"

Defensive tactics against sophisticated cyberspies Cyberattack could be next shock to UK banking system