Last year 8% of the IT budget went towards security. This year? 10%.
Khalid Kark, principal analyst at Forrester Research, Inc., presented security statistics at Forrester’s Security Forum 2008. For the past four years, CIOs said security was their top priority and despite the economy, three out of four said they would continue to spend ten percent of their IT budget on security. But how much of the budget is allotted for security against internal threats? Have we forgotten about the situation in San Francisco? Administrators were locked out of the system by one of their own — a top IT guy. And according to Forrester, the majority of security breaches involve internal employees.
Knowing that, I suppose I should have been prepared for the results of Cyber-Ark’s new survey. After polling 300 security professionals, the Cyber-Ark results claimed that 88% of IT administrators would steal valuable and sensitive company information if they were fired tomorrow. This isn’t like Jerry Maguire snagging the company goldfish on the way out – this is valuable company information! I’d like to know what’s going on to protect against that.
The Cyber-Ark survey also showed that “a quarter of the companies polled admitted to suffering from internal sabotage and security fraud in their workplace. One third said they believe industrial espionage and data leakage is occurring within their company.” Cyber-Ark CEO, Udi Mokady did offer some protection advice, suggesting securing privileged passwords, changing them often and managing them. And even though Cyber-Ark sells products that do just that (a teeny bit of a marketing pitch?) the results are difficult to ignore.
It’s not just malicious acts that threaten your companies security – employees who lose their laptop (or have it stolen from an office and then replaced…) also pose a security threat. IT sloppiness is also dangerous. The survey showed a third of the most powerful passwords are still being put on post-it notes. No comment necessary.
So how can you increase your security? Kark says it’s important to embrace change when it comes to security. He also provided three points to live by: have an open mind, educate yourself on new technologies and developments and utilize this education to solve the problems of today. Just because you updated your security system last year, don’t assume you’re as protected as you’d like to be today. As technologies change, so do the threats against them.
On a lighter note, Dr. Gary McGraw, CTO of Cigital, talked to us about software exploitation and EULAs (end user licence agreements). Apparently, the EULA you accept to access Microsoft’s Frontpage, disallows negative comments about Microsoft to be posted. Just a little tid-bit of information for you.