Experts On Demand

09.08.2011

Security Challenges and a 48 Hour Window

Two new surveys portrayed how the enterprises' rising investments in security software and processes still put corporations at a disadvantage in keeping up with new threats. Elsewhere, discussion of a new congressional bill requiring corporations to report the impact of security breaches to affected consumers and government bodies within 48 hours of discovery has begun to circulate.

Focal Points:

  • A recent Harris Interactive survey of 200 IT security professionals demonstrated that despite significant improvements in security software and increasing budgets, IT executives are still tortured by security attacks. IT executives cite limited resources as their primary hurdle even as data demonstrates rising financial and personnel investments. The two-year survey further revealed that 76 percent of companies had issues with malware, 75 reported lost or stolen equipment, 74 had issues with external data theft, and 72 suffered from internal data breaches. Common complaints among respondents included lack of time, an inability to manage cloud and virtualized infrastructures, hastened device life cycles, consumer devices, and the end of traditional perimeter firewalls.
  • A new study called “Second Annual Cost of Cyber Crime” shows the escalating costs enterprises are enduring in fending off cyber attacks. The study, conducted by the Ponemon Institute, LLC and funded by Hewlett-Packard, Co., studied the attacks on 50 organizations during a four-week period this year. Findings showed that the cost of combating attacks jumped an average of 70 percent from last year, with each attack taking an average of 18 days and $416,000 to address.  Distributed denial of service (DDoS), malicious code, stolen services, and Web-based attacks accounted for the majority of the 72 successful attacks the 50 participating organizations reported, up 45 percent from last year.  Participating organizations ranged in size from 700 to 139,000 employees.
  • The spate of recent security breaches resulting in compromised customer and employee data has the U.S. Congress up in arms and proposing new regulations. Newly-introduced legislation from Congressional Representative Mary Bono Mack, called the SAFE Data Act, proposes that organizations notify both affected consumers and regulatory bodies of a data breach within 48 hours of its discovery. Also known as H.R. 2577, the current the legislation allows for an organization to forgo reporting the breach if reasonable determination finds that the security breach does not present a "reasonable risk of identity theft, fraud, or other unlawful conduct." The rapid turnaround required for notification has many organizations up in arms, worrying that proper forensic analysis cannot be completed within a two-day time frame and that the requirements may force enterprises to cry wolf.

Experton Group believes surveys that lay bare the rising costs, complexities, and limited amounts of resources available to deal with increasingly sophisticated cyber attacks and infrastructures illustrate a reality to which enterprise IT executives are far too familiar.

While security software has become exponentially more capable and encompassing in the last half-decade, hastened asset turnover cycles and increasing demands for new technologies including cloud-based infrastructures and smartphones have conspired to reduce these gains. Coupling these trends with the greater availability, ease of development, and nearly turnkey deployment of sophisticated attack vectors puts today’s enterprise at a significant disadvantage in trying to deter internal and external breaches.

Rising security investments need to incorporate redundant and integrated systems to address access, monitoring, enforcement, and proactive autonomous healing if IT executives hope to reduce security exposures and associated risks. IT executives should expect legislation regarding security breaches that result in data privacy exposures to come down the pike in the near future.

The U.S. government’s affinity for authoring overly-stringent regulations that offer little assistance regarding implementation and enforcement is well known, particularly when the issues at hand are simplistically painted in a "David vs. Goliath" manner. Thus, IT executives should be concerned and bring C-level and corporate counsel attention to this matter to ensure that mandates are in the best interest of all involved parties.

<- Back to: Pressemeldungen

Press

Experton Group is the leading fully integrated research, advisory and consulting company for mid-sized and large organizations, maximizing the business value of their ICT investments through innovative, neutral and independent expert advice.

Experton Group offers consulting services, market surveys, conferences, seminars and publications related to information and communications technology issues.

Our consulting portfolio includes technology, business processes, management and business co operations, investments and mergers.