By Richard Hunter and Vic Wheatman, Gartner, Inc.With more than 600 million individuals worldwide now on the Internet, cybercriminals are taking advantage of unsophisticated users and enterprises and unsecured machines to usher in a new era of high-profit, low-overhead crimes targeting information and intellectual property. Many enterprises, possibly overwhelmed by the effort, costs and conflicts that arise in attempting to implement effective security measures, have adopted the erroneous "security by obscurity" philosophy, thereby assuming they are protected by their relatively small presence in cyberspace. However, it takes only one unsecured machine on a network to create potential risk for everyone else. The risks and the costs of defenses are high, and the trend is moving both upward.Gartner's assessment is that at its highest level within the enterprise, information security's top vulnerabilities are:Fundamentally insecure commercial softwareAn inadequate patch update modelMisguided users who believe crime happens to "someone else"Assessing "Cyber-Threats" From the Enterprise PerspectiveBy year-end 2003, 90 percent of intrusion detection system deployments will fail if false positives are not reduced by 90 percent (0.7 probability).By 2006, enterprises that rely on only proxy and stateful packet inspection will experience successful application-layer attacks at twice the rate of enterprises that use leading deep packet inspection approaches (0.6 probability).By 2005, enterprises will no longer use software-based application proxy firewalls (0.6 probability).Gartner's Cyber-Threat Hype Cycle characterizes the progression of a number of threats (see Figure 1).Enterprises should evaluate the changing threat landscape in the context of their specific defensive requirements. As threats mature, so do defenses.Securing the Enterprise From the Inside and OutBy 2005, financially or politically motivated attacks will represent 30 percent of total incidents, and 60 percent of the incident costs incurred by enterprises (0.6 probability).Through 2008, enterprise insiders, working alone or in conspiracy with outsiders, will account for a majority of financial losses resulting from unauthorized use of computers and networks (0.8 probability).Guideline: Create and enforce legal agreements defining legitimate use of proprietary intellectual property by trading partners and employees.Today's business processes are often designed for speed and convenience, not security. With that in mind, enterprises face a conflict between security and commerce because limiting insider access to information certainly cripples the ability to make mischief, but it also cripples the ability to generate revenue. Generally, this conflict is resolved in favor of open access.Externally, almost all enterprises connect digitally to share information with other organizations such as customers, suppliers, outsourcers, or regulators (see Figure 2). In that context, the risk that confidential information will be stolen or misused is amplified. Many enterprises don't have processes for establishing and enforcing agreements on shared use of intellectual property. Without such legal agreements, misuse is more likely and less subject to recovery.Enterprises should take steps to secure themselves against rogue insiders or resign themselves to suffering losses from insider crimes.Create a Security-Aware Enterprise CultureIn essence, a security-aware culture is alert to threats and knows what to do when they occur. Management establishes the foundation for such a culture by implementing sensible policy, training employees, and taking action quickly and visibly when threats arise.Employees must know the following:The enterprise's policies. Employees can't take care to limit their own and others' violations if they don't know what is permitted.The common threats. Employees should know how to recognize common threats, such as viruses, and avoid or limit them.The impact. Employees should understand the potential seriousness of specific threats to the enterprise.How to report and respond. Employees must know how to summon help quickly when they see a threat. Moreover, security managers should ensure that desktops are locked down (that is, not allowing unauthorized software or hardware to be used or attached).The "Good Enough" Information Security SolutionGuideline: Avoid vendors with overhyped but weak security products, or those with strong products but poor business practices. The best information security solution is often "good enough."Factors such as the inhibiting effects of the economic downturn, buyers' remorse over previous grand plan security initiatives, a defensive stance driven by modern political realities, continuing vulnerabilities, demands for privacy, and regulatory issues are creating great stress for information security practitioners. The result is that enterprises tend to implement "good enough" products and services while navigating through minefields of overpromoted products, or products so advanced that the need is not readily apparent.Enterprises should identify products that fit between market share leaders in the "good enough" category and those with just enough proven, advanced technology to provide an edge against security threats.Enterprises should limit their procurement analyses to vendors with a good balance between business sense and knowledge of information security technologies.The Outsourcing Option and Evaluating Security ProvidersBy 2005, 60 percent of enterprises will outsource monitoring of at least one perimeter security technology (0.6 probability).Most enterprises have focused attention on security functions that are designed to keep the "bad guys" out. But most enterprises do not have the resources to do an effective job keeping the "bad guys" out and letting the "good guys" in as demanded by e-commerce and business-to-business activities.Outsourcing the "bad guy barrier" is a driver for the managed-security market but the market is still developing. Although a few vendors have been offering services for years, the past two years has brought growth in the number of vendors and the range of managed-service offerings.Target customers include those without core competencies in information security, enterprises that have addressed perimeter security and gained experience in putting their security architectures in place and who are looking for efficient operations - but not at the expense of their security postures.The Role of Government in Fighting CybercrimeBy 2006, increasing incidence of large-scale for-profit cybercrime conducted by terrorists and organized criminals will force governments to take an active role in promoting common defenses in cyberspace (0.6 probability).By 2007, widely accepted legal norms for assessing civil damages resulting from negligent information systems security will have been established in the United States, by statute or by case precedent (0.8 probability).By 2008, at least one such lawsuit will result in a judgment or settlement for more than $10 million in favor of the plaintiffs (0.6 probability).Many ways exist to reduce the frequency and impact of successful attacks:Enterprises and users at every level can start paying attention to security basics - such as staying up to date with patches and antivirus definitions, using firewalls, using stronger passwords and other forms of strong authentication - which is the equivalent of fastening seat belts before driving.Software vendors can produce software without gaping vulnerabilities.Governments, in turn, can take steps, regulatory or otherwise, to encourage such behaviors from vendors, enterprises and users.As computer-enabled crimes and electronic surveillance by government, commercial enterprises, and even individuals, increase in frequency and severity, people everywhere are concerned about cyber-threats to their interests. U.S. businesses other than healthcare and financial services organizations are still essentially free to do what they like with information they gather on customers and other enterprises, but the tide is turning.Even without regulatory requirements, Gartner estimates that the cost to mitigate the damage from a successful attack is at least 50 percent higher than the cost to prevent it. Enterprises that focus on real risks and pay attention to their program's risk-reduction effectiveness will receive the best return on their security investments.It's best and least expensive in the long term to develop a capable program before being forced to act by legislation.The Business Value of Information SecurityGuideline: The business value of information security can be calculated on the basis of risk reduction, security as a (decreasing) cost of doing business, and return on investment via enhanced trust relationships and improved business opportunity.The Sarbanes-Oxley Act of 2002 has convinced corporate officers of the wisdom of investment to secure critical business information against unauthorized access, internal or external. Soon, civil liability for insecure software and lax security will convince remaining laggards that security really does matter.Few enterprises that have strong security will brag about it publicly. Instead, code words such as "risk" and "trust" will be used to signal superior security to markets, trading partners and customers. In any case, unsecured enterprises will face higher costs from poorly administered, expensive security programs, intellectual property losses, theft and lawsuits. Superior security is a competitive advantage, and poor security will be increasingly disadvantageous.RecommendationsEnterprises should assume that legal liability for poor security practices is on the horizon, and act accordingly.Security market providers and software vendors should assume that insecure products and services will be the basis of future legal liability claims.Enterprises should develop an enterprisewide, cross-application view of their information security requirements, beginning with policies and cultural change.This article is an excerpt of a chapter from a new Gartner Executive Report, "Securing the Enterprise: The Latest Strategies and Technologies for Building a Safe Architecture." The report is an offering of the Gartner Executive Report Series, a new business venture of Gartner Press that provides buyers with comprehensive guides to today's hottest IT topics. For information about buying the report or others in the Executive Report Series, go to www.gartnerpress.com\/executivereports.