The security landscape 2006

• 
  David Bicknell
• Published: 12 May 2006 11:20

As ever, the recent InfoSecurity Europe show threw up some fascinating insights into the state of the IT security market. Here we present the highlights of the show and what is about to happen in IT security

Nearly two-thirds of respondents to the recent biennial Department of Trade and Industry (DTI) Information Security Breaches Survey expect there to be more security incidents in the next year than in the last. And three-fifths of companies believe it will be harder to detect security breaches in the future.

These conclusions, revealed at the Infosecurity Show, demonstrate that UK businesses are winning yesterday’s battles, but are not preparing the foundations for defeating a more technology-focused form of guerrilla warfare

And there lies the rub. The survey results show that even as the UK embraces the internet, with many small businesses making the most of their broadband connections, this new environment is accompanied by new security threats. There are more sophisticated blended threats; spyware, driven by organised crime; and the advent of new technologies such as instant messaging and voice over Internet Protocol (VoIP), which have scarcely been addressed.

As the survey concludes, “This is certainly not a time for complacency”. Although the number of companies affected has dropped slightly in the last two years, it is still twice the level seen a decade ago. In addition, the total cost of security incidents is up on two years ago, with small businesses particularly taking the brunt of attacks. Broadband may be always on; it’s also always under attack.

That is not to say security is not a priority for many companies. It clearly has to be, with 97% of companies having an internet connection, 88% of which are broadband, and around 80% having a website.

So, given the increased dependence on IT systems, it is vital that firms continue to take information security seriously, and generally, they say they do. Three-quarters of UK businesses rate security as a high or very high priority to their senior management or board of directors, and that priority is consistent across all sizes of company.

Although businesses need to carry out security risk assessments, and only 44% of companies have done this in the last year, the number of companies with a formal security policy at its highest level: nearly three times as many have a security policy as did six years ago.

Those policies are being supported by increased information security expenditure, some of which is spent acquiring external expertise. The average UK business now spends 4% to 5% of its IT

budget on information security, and almost every UK business makes some use of external guidance or expertise to supplement its in-house security capability. Such an investment in security has translated into progress against all five key recommendations made two years ago, which comprised drawing on the right expertise, setting clear policies, investing in security, keeping defences up to date and responding to security incidents.

But there is no getting away from the issue that new technologies pose a particular security threat. Anti-virus and patching disciplines have improved, yet a quarter of UK businesses are not protected against spyware. In addition, only 1% have a comprehensive approach to identity management, with 84% saying there is no business requirement to improve this.

Three-fifths of companies that allow remote access do not encrypt their transmissions; yet those businesses that do allow remote access are more likely to have their networks penetrated than other companies.

One in five wireless networks is still completely unprotected, and a further one in five is

unencrypted. As for removable media devices, which can hold large volumes of data,

55% of firms have taken no steps to protect themselves against the threat posed by

such devices.

There’s another area that many in the know are now warning against: insider threat. While botnets may have been the sexy subject for discussion, a number of companies exhibiting at the show reported a significant increase in the number of visitors to their stands who had reported insider attacks resulting in corporate losses.

The banking and financial services world particularly, is worried that those insider attacks – which many have been warning about for years – are now becoming a reality, perhaps being driven by bribes from organised crime. It’s perhaps no surprise then that a recent survey by Websense at the e-Crime Congress found that 45% of e-crime experts believe the biggest threat to an organisation’s data comes from inside the company.

Testing is another area that has seen an interesting trend, with specialists such as First Base Technologies, an exhibitor at Infosecurity and a veteran penetration testing specialist, warning that those providing penetration testing services need to invest more time in the reports they write for clients. The number of organisations claiming to offer penetration testing services – usually as part of a portfolio – may have increased, but some might say the overall quality of their reporting hasn’t.

Infosecurity wouldn’t have been complete without some newcomers. Perhaps the one with the highest profile, thanks to a testimonial from Paul Simmonds, global chief information security officer at ICI, was Secerno, an Oxford-based company specialising in application-level intrusion detection, and whose first products will be aimed at protecting databases.

Overall, there is little doubt that security-savvy companies are now adopting an integrated risk-based approach to information security, including taking account of emerging technologies, and securing the organisation against them.

Without these actions, there is little doubt that UK businesses face being exposed in tomorrow’s security landscape. And if those businesses have to be aware of the security threats from new and fast-moving technologies and threats, then so should the DTI. So, there must be a case for making the Security Breaches Survey an annual event: there is no predicting what the security landscape will look like in two years.