More frequent reports of data breaches, malware and other cybercrime is prompting corporate IT security managers to react in ways that actually make it more likely their employers will be attacked, according to a report published Nov. 7 by research firm Gartner.
Fear of attack has caused security staffers to shift their focus toward technical security and away from risk-management analysis and other techniques that do less than technical approaches to stop an intrusion as it’s happening, but make successful breaches far less likely in the long run, according to Gartner’s 2013 Global Risk Management Survey.
The number and frequency of cybercrimes has been on a steady rise for four years, according to a study released Oct. 8 by Hewlett-Packard Co. and the Ponemon Insittute.
The 2013 Cost of Cyber Crime Study showed that companies are on track to spend an average of $11.56 million on cybercrime prevention during 2013, an increase of 26 percent compared to 2012 and 78 percent higher than 2009.
That figure is driven by cyber-attacks that increased from an average of 102 per week in 2012 to 122 per week during 2013. The cost of an attack also rose 55 percent between 2012 and 2013, the report indicated. The length of time required to recover from an attack increased from 24 days to 32.
Cybercrime of various kinds costs the U.S. economy approximately $100 billion and the loss of 508,000 jobs per year, according to a study released in July by the Center for Strategic and International Studies.
Reacting strongly to a threat that is perceived as substantial and immediate is understandable, but represents an emotional reaction to fear, uncertainty and doubt (FUD) that puts security in a semi-permanent position of reacting to the actions of bad guys rather than taking precautions based on data showing where the risks actually lie, according to John A. Wheeler, Gartner analyst and lead author of the report.
“Strong risk-based disciplines such as enterprise risk management or risk-based information security are rooted in proactive, data-driven decision making,” Wheeler said. “These disciplines focus squarely on the uncertainty (as in, risk) as well as the methods or controls to reduce it.”
Even when it produces ostensibly positive results – such as prompting an increase in IT security spending to counter a perceived threat – FUD can have a negative overall impact.
In the 2013 edition of Gartner’s annual survey, 39 percent of companies reported slating 7 percent or more of their overall IT budget to security, compared with 23 percent during 2011.
By contrast, 53 percent of respondents in 2013 said their companies do not use formal IT risk-management steering committees to guide their security decisions – opting for informal groups or no steering committees at all.
Only 39 percent of respondents in 2012 lacked a formal risk-management process and standing committee to set overall priorities.
That “incongruent finding” means one of two things, Wheeler said: Either they validate the idea that data-driven, risk-analysis security is being put aside in favor of “FUD-based emotion-driven activities.” Or “they indicate that those who have concerns are simply burying their heads in the sand rather than proactively addressing emerging threats.”
Image: HP/Ponemon Institute