The proportion of IT budget spent on security increased in 2009, although this is partly due to the overall IT budget being reduced. There was a growth in the use of most types of security technology. Nearly all respondents were satisfied with the quality of security products in all product categories, but they qualified this opinion by expressing that there was plenty of room for improvement. The respondents seem to have reached a level of maturity at which they know what they dont know. Generally security professionals are satisfied with their budget, although end-user security training was flagged as an area needing more investment, as we have noted above.
Attackers are aiming for soft targets
At the launch of the CSI survey results, Jim Jaeger of General Dynamics Advanced Information Systems spoke about the security incident investigations that his company has performed over the last year. His experience indicated that organisations with lower levels of security awareness were bearing the brunt of losses. The retail sector accounted for 35% of his companys cases. Forty percent of attacks used SQL injection a vulnerability that has been known for many years. Fifty-five percent of the victims had no security monitoring capability, and a further 40 per cent of respondents used an outsourced managed monitoring service that had in many cases been chosen because it was the cheapest available service. Conversely, in the financial services sector, security is now so good that attackers are turning their attention to employees home computers in the hope of harvesting passwords that they may also use at work.
Sign up for Computerworld eNewsletters.