Gartner Analyst Richard Mogull has an opening line that he likes to use when addressing an audience about security issues. It goes like this: “How many of you have been victims of a cyberattack?” (A few brave people will raise their hands.) “How many of you have been attacked but don’t know it?” (Everybody’s hand should be raised, Mogull insists.)
Gartner estimates that by 2005, one in five enterprises will experience a serious attack that results in a material loss for the company. Repairing that damage will exceed the cost of prevention measures by 50 per cent — not to mention the damage done to the reputation of the victim. A startling 90 per cent of these attacks will exploit known security flaws for which a patch is already available, a statistic that illustrates a serious lack of awareness of the problems, according to Mogull. The analyst says companies often wait too long to install patches on their systems or have difficulty adding patches because of testing procedures required in their computing environments.
“That’s pretty significant,” Mogull says. “If we can identify the cause, most of this can be prevented. It’s a combination ... an issue of patch management and also a general lack of security awareness. If you don’t protect yourself you’re going to experience an attack.”
Budget scrutiny is also partly to blame for security shortcomings of companies. Requiring a return on investment for security initiatives is the wrong way to approach security, Mogull says. He says information security should not fall victim to traditional business metrics.
“There has been this focus on ROI,” Mogull says. “What’s the ROI of a firewall? I don’t know. For that matter, what’s the ROI of a fire extinguisher? Security shouldn’t necessarily be considered a line item on a budget.”
Mogull also warns companies to be wary of their business partners with respect to their security practices. If you’re sharing business information with them, you need to know that it’s protected. “It’s definitely a management concern,” Mogull says. “Their poor security becomes your liability.”
In addition to making investments in IT security initiatives, Mogull says executives must get employees on board and establish a corporate culture than endorses security. “Culture is probably the single biggest influence in an enterprise,” Mogull says. “We need to start thinking about security as a business enabler.”