Layoffs Threaten Security

By Eileen Feretic  |  Posted Monday, August 03, 2009 23:08 PM

By Eileen Feretic

Almost half (45 percent) of the 180 IT security professionals who responded to a Breach Security survey conducted at the recent Black Hat USA Security Conference said that staff reductions have negatively affected their ability to protect their enterprise. That's a frightening, if not very surprising, statistic.

Tech pros in the trenches certainly understand the ramifications of having fewer people to fight the constantly growing number of cyber-threats. But do top executives realize how exposed their companies are as a result of layoffs? Too many don't seem to get it.

I spoke last week with someone who might open their eyes. Francis deSouza, senior vice president of Symantec's Enterprise Security Group, told me that there were more viruses in 2008 than in the previous 17 years combined. He added that there are also significantly more insider and botnet threats.

Equally disturbing is the fact that the type of attacker has changed. Last year was a "tipping point," according to deSouza, with 90 percent of breaches driven by organized crime. These technologically sophisticated criminals have deep pockets and target vital corporate and personal information, he explained.

And their attacks are thorough and well-thought-out, said deSouza, who spelled out the four stages of the typical battle plan: incursion (poking at a network via e-mail, poorly protected Web apps or Web servers with default passwords); discovery (finding where the information is stored), capture (determining the value of information versus the level of protection) and exfiltration (get the information out of the system).

So now we've got a scaled-back, overworked IT security team battling against well-funded, tech-savvy criminals. Not exactly a fair fight.

To make matters worse, enterprises are not paying attention to the right security issues. According to the Breach survey, 46 percent of respondents identified compliance as their organization's highest priority, while only 38 percent mentioned application security controls as the top priority.

"Poor global economic conditions have caused organizations to focus on the minimum investments required to appease auditors instead of implementing solutions to adequately protect customer and corporate data," wrote Sanjay Mehta, senior vice president for Breach Security.

Wouldn't you think that protecting corporate and customer data would be every company's top priority? What are these executives thinking?