Companies on IT Security Spending: Where’s the ROI?

Companies have spent many millions of dollars to build defenses around their IT assets this past decade, motivated by malware attacks, data security breaches and the resulting regulatory compliance cattle prod.

But the bad guys are still a few steps ahead in terms of sophistication and speed and some wonder if their investments were all for nothing, according to the newly-released 2010 Cyber Security Watch Survey.

More than 500 respondents, including business and government executives, professionals and consultants, participated in the survey, conducted by CSO Magazine with help from the U.S. Secret Service, Carnegie Mellon Software Engineering Institute (CERT) and Deloitte’s Center for Security and Privacy Solutions. Though respondents point to sizable efforts to keep their companies secure, many admit it’s getting almost impossible to outpace the bad guys.

“Security confidence seems to be waning. Respondents are spending more money and implementing new capabilities, but overall they seem to be unsure about how truly effective their efforts really are toward ensuring security,” said Ted DeZabala, principal at Deloitte & Touche LLP and U.S. leader of Deloitte’s Security & Privacy services.

The survey showed a drop in cybercrime victims — 60 percent this year compared to 66 percent in 2007. But the affected organizations have experienced significantly more attacks than in previous years, fueling doubts over a lack of return-on-investments (ROI).

Between August 2008 and July 2009 more than a third (37 percent) of respondents experienced an increase in cybercrimes compared to the previous year. While outsiders (non-employees or contractors) are the main culprits of cybercrime in general, the most costly or damaging attacks are more often caused by insiders (employees or contractors). One quarter of all cybercrime attacks were committed by an unknown source.

Although the number of incidents rose, the ramifications have not been as severe. Since 2007, when the last cybercrime survey was conducted, the average monetary value of losses resulting from cybercrimes declined by 10 percent. This can likely be attributed to an increase in both IT security spending (42 percent) and corporate/physical security spending (86 percent) over the past two years.

And yet, as technology advances, so do the attack methods, and many respondents worry that the bad guys are still winning. Outsiders invade organizations with viruses, worms or other malicious code; phishing; and spyware, while insiders most commonly expose private or sensitive information unintentionally, gain unauthorized access to/use of information systems or networks, and steal intellectual property.

The survey finds that insiders most often use their laptops or copy information to mobile devices as a means to commit electronic crimes against their organization. Respondents suggested data is often downloaded to home computers or sent outside the business via e-mail. This may lead to damaged reputations and may put organizations in violation of state or federal data protection laws.

More than half of the respondents — 58 percent — do believe they are more prepared to prevent, detect, respond to or recover from a cybercrime incident compared to the previous year. But only 56 percent have a plan for reporting and responding to an incident.

The research also indicated that businesses are trying to take steps to identify insider threats. Nearly one-third (32 percent) now monitor the online activities of employees who may be disgruntled or who have turned in their resignations.

Dawn Cappelli, technical manager for the Threat and Incident Management division of the Software Engineering Institute CERT Program, said insider attacks continue to be seen as a bigger problem than anything that might come from the outside.

“Attacks are more costly than outside attacks, and seven of the top eight practices that were indicated as being most effective at prevention, detection and deterrence apply to employees,” she said.

Though many respondents may be doubting the ROI of their security investments, the activity to deal with the insider threat at least indicates that no one is thinking about tightening up on their spending. Perhaps that’s because many feel like they have no choice but to keep spending, lest they fall even further behind the bad guys.

“This looks like good news — they have found effective practices for handling the most costly threats,” Cappelli said. “However, the technical solutions for insider threat mitigation were ranked alarmingly low: DLP, Ranked 9th least effective and change control/configuration management systems, ranked 5th least effective. In addition, account audits are only being performed by 43 percent of respondents, probably because of the technology gap.

To that end, her parting advice is not to the respondents, but to the vendor community: Come up with something better to help customers achieve the DLP and change control/configuration management they need.