The speed, stealth and sophistication with which organised, professional cybercriminals are able to steal personal and company data was a recurring theme at Infosecurity Europe 2009 from the very start.
Cybercriminals are using increasingly sophisticated social engineering techniques to lure users into installing malware. And the insider threat is also on the increase, for reasons ranging from ignorance and lack of commitment to revenge and financial need in the economic downturn.
This shift in gear is threatening to overwhelm most organisations, according to research by security risk assessment firm, Qualys.
Analysis of 72 million critical vulnerabilities out of 680 million found on 80 million IP addresses showed 80% of code exploits are being used in less than 10 days of the vulnerability's public release.
"Five years ago, it was taking cybercriminals up to 60 days to reach the 80% level," says Wolfgang Kandek, CTO at Qualys. Organisations are not getting in faster in patching known vulnerabilities. They are still taking around 30 days, but 40% are taking much longer to be fixed, the study found.
Wolfgang Kandek says something has got to change, and he believes outsourcing IT security services could provide the answer.
Outsourcing also makes sense as a way of enabling organisations to deal with the human factor in security, where many are also failing, says David Lacey, independent security researcher.
"IT security managers typically do not understand the psychology of IT users well enough to be able to manage risk effectively and lack the skills to change user behaviour," David Lacey says.
Cloud computing promises to become the most financially attractive means of delivering technology-based IT security services, says Kandek
The IT security industry has not missed the business opportunity, with a marked swing on the exhibition floor to services, many using the cloud-based model.
"Infosec used to be all about product, but this year, easily a third of suppliers are selling services," says Bruce Schneier, chief security technology officer at BT.
This is an indication that the security industry is maturing as customers begin to care less about the details than about the end result, Bruce Schneier says.
Guy Bunker, chief architect in the data management group at Symantec, agrees the move to IT security services is inevitable.
"Security is now about putting protection around data and that is not as simple as it used to be," Guy Bunker says.
The cloud offers business benefits such as lower cost and increased flexibility, but Bunker has reservations.
Organisations should be absolutely sure they have asked all the right questions to ascertain the true level of risk before signing up to this model, he says.
The technological and psychological skills required to tackle a ruthlessly committed and well organised network of cybercriminals are rapidly exceeding the resources of most organisations.
Few will have an alternative to IT security services if current trends continue, but Bunker says cloud computing still has a long way to go before it will be a mature, safe delivery method.