Today, at a time when IT managers are being called upon to do more with less, security spending is coming under greater scrutiny. That’s to be expected.
And yet it’s now – when budgets are tight and resources scarce – that businesses could also face serious security threats, some industry insiders say.
During a financial downturn, attacks on corporate networks are likely to increase, according to Hongwen Zhang, CEO of Wedge Networks Inc., a vendor of network-based Web security products based in Calgary.
That’s because many firms – and the organizations they interact with online – are scaling back on security spending to cut costs.
Wrong security spending priorities could be costly in more senses than one, experts warn.
They urge companies to adopt a needs-based, rather than products-based approach to security spending.
Investment should not focus on plugging leaks. Rather, it should be founded on a realistic assessment of overall network security needs, according to Jon Olstick, senior analyst with Enterprise Strategy Group a research firm in Milford, Mass.
No truck with viruses
Monarch Messenger Services Ltd. is an example of a Canadian business that focused security investments on areas directly affecting operational efficiency.
The Calgary-based trucking firm has 325 drivers and 85 other employees.
Two years ago spam and viruses slowed down the firm’s network.
Agents could not react immediately to client requests, relay vital information to mobile workers, or process other daily transactions.
Between drivers, employees and customers, the network crisis affected more than 2,000 people across Canada, said Graham McDonald, systems administrator at Monarch Messenger.
“The virus and spyware issue was completely out of hand,” he said.
The attacks, said McDonald, slowed down workstations and tied up IT staff by as many as 20 hours each week. “Our IT team was always out there clearing viruses off desktops.”
He said his team noticed the Web-based attacks focused on tricking users into pulling malicious content into the network through vulnerable endpoints.
Monarch initially rolled out Wedge Network’s BeSecure Virus Protection Appliance for malware and malicious code detection. Later the trucking company also installed the BeSecure’s Web Filtering and Spam Filter modules.
McDonald said the emphasis was on ensuring operations remained secure and uninterrupted because the attacks were cutting into the workforce efficiency and ultimately the company’s bottom line.
Since the deployments, network downtime has been halved – from four to two hours each week, he said.
Monarch is among many companies that actually saw security spending double in recent months, despite the economic downturn.
“IT has been busy as ever. Our IT security budget actually doubled in the past six months, as we need to keep everything protected and functioning,” McDonald said.
Monarch Messenger’s increased spending on security in these tough times may not be exceptional.
The security portion of IT budgets will rise by 12.6 per cent in 2009 –up from 7.2 per cent in 2007 and 11.7 per cent in 2008, according to a recent survey by Cambridge, Mass.-based Forrester Research.
“Security is getting the bigger slice of the IT pie, with the focus less on reactive vulnerability defense and more on looking at what’s necessary to protect the business,” said Jonathan Penn, chief author of the Forrester report titled, State of Enterprise IT Security: 2008-2009.
Don’t trim these three
The economy may be in tatters but despite the rush to slash spending,cutbacks should not extend to these three crucial areas, experts say.
• Systems that protect essential IT infrastructure – including anti-virus appliances or software, Web server or application protection tools
• Products that increase mobility and productivity – such as virtual private network offerings, and gateway based systems that improve connectivity with mobile devices
• Optimization tools – Products that help IT managers eke out more from existing resources. These include, virtualization tools and applications that make existing servers more efficient; or those that reduce monthly bandwidth expenditure