There’s good news in a recent study of companies’ IT budgets: Firms are starting to invest in IT security. But the bad news: They aren’t spending that money in the right places.
While IT security investments are increasing, that spending isn’t going toward the technologies that have the biggest impact on the protection of companies’ data, according to a survey recently conducted by IT security firm SafeNet.
And even worse: The folks in charge of securing the company’s data know there’s something wrong with what they’re doing but organizations aren’t changing their course.
Among the 230 IT security professionals surveyed, 35% believe security dollars are being spent on the wrong technologies. However, nearly all (95%) said the company is continuing to spend money on the same security tools.
That could explain why many IT departments have serious concerns about their company’s ability to protect data. In fact, 20% of the IT pros surveyed said they wouldn’t trust their own personal data to be kept safe on the company’s network.
The majority (65%) believe their company will suffer a major breach within the next three years.
Beyond perimeter security
One problem is that companies have focused on securing the perimeter but haven’t segregated their networks or taken other steps to provide additional layers of security. Therefore, while 74% of IT pros say their perimeter defenses are effective, 59% said the organization’s most critical data will be at risk if and when the perimeter is breached.
Companies are constantly coming under attack from cyber criminals. Perimeter security is important, but even with the best defenses in place it’s likely one of those attacks will be successful at some point.
That’s why companies need to go beyond firewalls, antivirus systems and other IT security tools designed to thwart attacks and give some attention to tools and techniques that can keep the most important data safe if attackers do find a way on to the network.
- Encrypting specific drives and folders that contain sensitive data
- Limiting users’ and IT employees’ access rights to reduce the damage if their accounts are compromised, and
- Segregating networks so that an intruder into one area doesn’t have access to all the data stored throughout the company — for example keeping users’ Internet-facing desktops separate from servers holding critical data.
Monitoring for IT security incidents
Another issue: Companies aren’t focused enough on monitoring for attacks and mitigating breaches. Among the security pros surveyed — in other words, the people who should have the most knowledge of security incidents in the company — 20% said they didn’t know if the organization had been breached recently.
Those businesses aren’t alone, as other reports have shown that many organizations that are hit with cyber attacks don’t know they’d been hacked until they’re notified by breach victims or law enforcement agencies.
That can prove costly, as the longer it takes before the breach is discovered, the more sensitive data will end up in the hands of cyber criminals — and the more it will cost to clean up after the incident.
That’s why important for businesses not only to invest in tools to prevent data breaches, but also in effect methods to discover and mitigate those attacks. That could include installing intrusion detection systems, as well as keeping logs of network traffic and putting in the time and effort to analyze them for signs of suspicious activity.
Also, it pays to have a data breach response plan in place before an incident occurs. The plan should cover who will be in charge of the mitigation efforts, how investigations will be carried out and how affected individuals will be notified.
Conducting a thorough investigation can be particularly important. A recent breach at the New York Times enabled attacks to keep accessing the newspaper’s network for four months because the company initially failed to discover all of the back doors that had been opened by hackers.
Other effective security technologies
The troubling news for IT security teams and the companies trying to find the best ways to invest their security dollars is that cyber attacks are becoming more frequent and more costly across the board.
According to a study released last year by the Ponemon Institute, the frequency of attacks had risen by 44% compared to the previous. And on average, the 56 companies with at least 1,000 employees studied had each lost $8.9 million in the past year due to cyber attacks. That was up from $8.4 million in 2011.
However, those companies did have some success implementing various tools and technologies to prevent and mitigate attacks.
These were the seven most effective IT security investments those firms made in 2012, based on their estimated cost savings, according to Ponemon:
- Security intelligence systems (average savings of $1.7 million)
- Access governance tools ($1.6 million)
- Enterprise governance, risk and compliance (GRC) tools ($1.4 million)
- Data loss prevention tools ($870,000)
- Encryption technologies ($850,000)
- Firewalls and perimeter controls ($650,000), and
- Automated policy management tools ($350,000).