With the National Bureau of Economic Research in the United States announcing last week that the U.S. has officially been in recession since Dec. 2007, IT budgets are highly likely to be strictly controlled both in the U.S. and in other parts of the world. I had a conversation with a friend over the weekend, and he asked me if I expect redundancies in the IT Security industry, as companies could no longer afford to have dedicated security personnel on their books.
To be honest, yes I think there will be. However, I also think that the overall IT security industry will continue to grow in 2009 – bad guys are not going away anytime soon, and a lot of their existing scams work really well in this economic climate. Companies who choose to think otherwise may well end up regretting it in the long term, and here are my thoughts on why:
At the end of the day, security boils down to risk management. The three core values every organization needs to protect are often shown in the acronym CIA (Confidentiality, Integrity, Availability). Different organizations prioritize on different areas, but I think when it comes to economic downturn, confidentiality, and availability are obviously the most affected.
In terms of confidentiality, we are talking about an organization’s private data being protected. I’m based in Ireland, where 17,000 people had their jobs slashed in November. This is a drop in the ocean compared to other countries, particularly the half a million employees who lost jobs in the U.S. Insider threats have long been one of the largest risks facing organizations, especially in the case of the so-called “disgruntled employee.” With large number of employees made redundant, having their salaries cut, etc., there are a lot of incentives for these same employees to engage in data theft.
When people feel hard done by their employers, they are more likely to relax their morals. In these cases they may no longer consider taking confidential company information outside of the company as stealing. They feel an entitlement to this information, after all, they’ve put years of work into helping the company grow. The very fact that there are so many Data Leak/Loss Prevention (DLP) solutions on the market should give you an idea of just how big this problem is – and I think the risk of Data Theft/Loss is going to increase in the current climate
Which brings us to the other big factor – Availability. Almost every company is currently engaged in examining their costs, and reducing them wherever possible. Whether it is in terms of head count or even simply lowering all of the thermostats in their buildings by five degrees (my hands are going blue typing this), a lot of companies are walking a very fine line trying to keep afloat for the next two to three years – even the smallest misfortune could tip the ship.
This is where malware comes in. The recent WORM_DOWNAD.A attack was quite successful in infecting unpatched Windows machines, with a quite a few companies having thousands of machines infected by the threat. Cleaning a threat like this costs a lot of money – a company may need to pay their IT staff overtime to fix the problem, or they may have to bring in external contractors. That’s not where the real loss is, however. Picture a company of 4000 employees. Now picture all of those employees being unable to use their machines for three hours while the systems are being cleaned, patched and tested. That is 12000 man-hours of work which that company is paying for, and getting nothing in return. To put it another way, that’s about 6.5 employees’ salaries for the year which sums up to around 200-250K. There are very few companies that have that kind of money to burn at the moment.
So, to any organization thinking of cutting their security budgets, think long and hard about weighing the short term savings with the potential losses. I wish I could say that there won’t be companies that would go under because of a malware attack in the next couple of months – but optimism is not exactly in large supply at the moment.