Just as the network security industry braces for a rough year, IT managers are backing off security spending — making for a dangerous mix of circumstances, according to industry analysts.
”People are willing to take more risks than I’ve ever seen before,” says Dan Woolley, a vice president at SilentRunner, a network security company. ”I find it a very bothersome trend since we’re expecting to see a doubling of security incidents this year… The world situation is promoting it. We’re seeing a lot more focused activity coming from locations I would say are not quite so friendly to us.”
Security analysts are widely predicting that incidents will skyrocket in 2003 — everything from Web site defacements to worms, viruses, insider-based attacks and now hactivism.
A recent study by the Aberdeen Group, an industry analyst firm based in Boston, noted that reported security incidents are expected to top 200,000 this year. That’s double the 100,00 reported incidents from 2002. And that’s just what is being reported. Aberdeen analysts say there were 7.9 million unreported incidents last year. That number is expected to hit 15.9 million this year.
And despite the numbers and warnings, analysts and consultants say IT managers simply aren’t planning to spend an increasing amount on security this year. Many are planning on cutting back after increased expenditures that followed the terrorist attacks in September of 2001. And many are simply trying to make due with smaller budgets and a smaller IT staff in a rough economic period.
At least one study, however, predicts that the lull in IT spending shouldn’t be a long one. A recent report by Framingham, Mass.-based IDC shows that the IT security market is expected to double between 2001 and 2006. Analysts are hoping spending picks up sooner than later, but not everyone is convinced it will pick up in time to deal with the security issues coming down the pike this year.
It’s a confluence of circumstances that are creating smaller expenditures in at time of great risk.
”We’re seeing people who say they just can’t see putting more into it at this point,” says Woolley. ”They’ve evaluated the risk and they’ve looked at what it would cost to upgrade, and they’ve decided that they’re protected enough right now. They’re saying they just can’t afford it and they just can’t justify the cost right now. They’ll take the hit.”
Mike Rasmussen, director of research at the Giga Information Group, says IT managers shouldn’t be lulled into a feeling of safety simply because security incidents were relatively light in 2002.
”I think it’s extremely frightening,” he says, regarding the lack of security expenditures. ”In 2003, we’re going to see more advanced attacks. The Slammer worm was just a prelude of what we’re going to see.”
The Slammer worm did heat things up in January. The worm, which was lightweight and fast, speeded across the Internet, slowing down online traffic, disrupting business, taking some services offline and even taking down telephone service in various spots around the world. Analysts say if the Slammer had carried a malicious payload, it could have caused significant and even more expensive damage.
Chris Christianson, an analyst with IDC, says the Slammer worm is nothing compared to what’s expected this year.
”We think there’s going to be a major incident this year — an incident that causes disruption or reduces the availability of the Internet,” he says. ”Slammer was just the beginning. I think there’s going to be a lot more.
”I think it’s a really bad time not to be spending on security,” Christianson adds.
And like other analysts, Christianson says political trouble with Iraq and other countries is expected to spur a new wave of attacks.
”Any time there is a period of heightened world tensions, discontent, or feelings of patriotism or allegiances to either side, we expect cyber attacks,” says George Bakos, senior security expert with the Institute for Security Technology Studies at Dartmouth College. ”It may not necessarily be out-and-out cyber warfare but… Web defacements, using a worm as a denial-of-service agent.”
Bakos says now is the time for IT managers to make sure their systems are fully patched, and that there is security on multiple layers of their networks.
”I think the most bothersome concept is the thought that security is something you invest in one time and it will hold you for a while,” says Bakos. ”I’m fully aware that people are stepping back from spending a little bit. You need a basic understanding of information security… Security will never enhance your bottom line. If it’s well done, it will serve to preserve it.”