The previous time that my fingers turned blue from writing, was way back in my primary school days. Recently, Robert, an Ireland colleague, was experiencing the same effect while typing a mere 700 word article. Why would such a short article have such prowess? I guess it is pretty cold in Ireland. Even then, Robert was working within the comfort of his office tower. Sigh.. I guess this is due to the recent world financial crisis (which resulted in aggressive energy saving policies). When Robert was working on the article below, the heater unit in his office tower was set at 5 degrees lower than normal. In his article below, he talks about strict controls on IT budgets, and also his opinions on how leakage of confidential information can be more prominent during times of recession.
Security in Recession
Author:Robert McArdle (Trendmicro Threat Analyst)
With the National Bureau of Economic Research in the United States announcing last week that the U.S. has officially been in recession since Dec. 2007, IT budgets are highly likely to be strictly controlled both in the U.S. and in other parts of the world. I had a conversation with a friend over the weekend, and he asked me if I expect redundancies in the IT Security industry, as companies could no longer afford to have dedicated security personnel on their books.
To be honest, yes I think there will be. However, I also think that the overall IT security industry will continue to grow in 2009 - bad guys are not going away anytime soon, and a lot of their existing scams work really well in this economic climate. Companies who choose to think otherwise may well end up regretting it in the long term, and here are my thoughts on why:
At
the end of the day, security boils down to risk management. The three core
values every organization needs to protect are often shown in the acronym CIA
(Confidentiality, Integrity, Availability). Different organizations prioritize
on different areas, but I think when it comes to economic downturn,
confidentiality, and availability are obviously the most affected.
In
terms of confidentiality, we are talking about an organization’s private data
being protected. I’m based in Ireland, where 17,000 people had their jobs
slashed in November. This is a drop in the ocean compared to other countries,
particularly the half a million employees who lost jobs in the U.S. Insider
threats have long been one of the largest risks facing organizations,
especially in the case of the so-called “disgruntled employee.” With large
number of employees made redundant, having their salaries cut, etc., there are a
lot of incentives for these same employees to engage in data theft.
When
people feel hard done by their employers, they are more likely to relax their
morals. In these cases they may no longer consider taking confidential company
information outside of the company as stealing. They feel an entitlement to
this information, after all, they’ve put years of work into helping the company
grow. The very fact that there are so many Data Leak/Loss Prevention (DLP)
solutions on the market should give you an idea of just how big this problem is
- and I think the risk of Data Theft/Loss is going to increase in the current
climate
Which
brings us to the other big factor - Availability. Almost every company is
currently engaged in examining their costs, and reducing them wherever
possible. Whether it is in terms of head count or even simply lowering all of
the thermostats in their buildings by five degrees (my hands are going blue
typing this), a lot of companies are walking a very fine line trying to keep
afloat for the next two to three years - even the smallest misfortune could tip
the ship.
This
is where malware comes in. The recent WORM_DOWNAD.A
attack was quite successful in infecting unpatched Windows machines, with quite
a few companies having thousands of machines infected by the threat. Cleaning a
threat like this costs a lot of money - a company may need to pay their IT
staff overtime to fix the problem, or they may have to bring in external
contractors. That’s not where the real loss is, however. Picture a company of
4000 employees. Now picture all of those employees being unable to use their
machines for three hours while the systems are being cleaned, patched and
tested. That is 12000 man-hours of work which that company is paying for, and
getting nothing in return. To put it another way, that’s about 6.5 employees’
salaries for the year which sums up to around 200-250K. There are very few
companies that have that kind of money to burn at the moment.
So, to any organization thinking of cutting their security budgets, think long and hard about weighing the short term savings with the potential losses. I wish I could say that there won’t be companies that would go under because of a malware attack in the next couple of months - but optimism is not exactly in large supply at the moment.
Click here for free protect for the machines in your company.
Comments