North American businesses in every sector are spending more on IT security, but that has not necessarily made them more secure. “”Many companies are investing their security dollars on the wrong risks,”” according to John Pescatore, vice-president of Internet Security at Gartner Inc. in Stamford, Conn.
He cited a Gartner survey that shows the average enterprise channelled 5.4 per cent of its IT budget on security in 2003 – a 20 per cent increase over 2002. “”Despite this increase, there are many areas where old spending patterns are definitely not leading to better or more efficient network security.”” For instance, Pescatore says, Gartner is advising clients not to expend limited IT resources on network intrusion detection systems (IDS), but to opt for application-level firewalls instead. “”We now have firewalls that can block the very same attacks that IDS systems merely alarm on,”” Pescatore says. “”You spend $1 million on IDS and you have the same level of break-ins.””
For protection against viruses, he says, many companies spend money on desktop protection but fail to put anti-virus software on the e-mail server, where it is more effective.
On the flip side, he says, companies and vendors across the board are getting the message and are starting to look at network security very differently.
For instance, Gartner predicts over the next few years, many enterprises will adopt “”containment technologies”” which can shut certain parts of the network in order to protect the infrastructure from threats such as viruses.
Kent Kaufield, a senior manager with Ernst & Young’s technology and security risk services practice, says the sharp rise in security technology spending is not, by itself, a very heartening fact. “”The biggest component of a security budget should be process and people spending. And that isn’t growing as fast as the technology spend. So we’re ending up with very small security groups handling technology they aren’t properly equipped to use.””
Gartner research director Richard Stiennon says some companies take drastic measures to protect their networks. One company “”started stopping people at security and checking their laptops… loading software on them to make sure there were no worms on the machines.””
The approach didn’t work – a meeting would be scheduled for 9 a.m. “”and nobody would show up until 10 a.m. because they were all waiting in line at security with their laptops.””