In 2002, three university professors from the University of Texas calculated the effect of a publicly announced security breach on the stock market value of a victim company. After ploughing through some equations that are as tall as they are long, they reached the astonishing conclusion: Compromised firms lose approximately 2.1% of their market value within two days of a security event – in the US, that averaged out at about $1.65 billion per company.
Over the longer term, of course, most companies will recover that lost value. But the markets, as the saying goes, never lie. The figures demonstrate in stark terms just how important IT security has now become to modern business.
The reasons why are clear enough. First, all business is now ebusiness; there is now virtually no company that does not actively trade in some form over the web, and whose data, documents and brand are potentially vulnerable if security is insufficient
The extent of that vulnerability has been clearly demonstrated by the growing wave of electronic attacks now afflicting all businesses (see feature, ‘A year in high-tech crime’). Every category of high-tech crime – ranging from viruses, hacking, denial of service attacks, phishing (emails that attempt to persuade people to divulge their passwords), electronic fraud, spyware, extortion and theft of intellectual property – has increased exponentially in the past three years. That Microsoft thought it was necessary to start offering large rewards for the identity and conviction of virus writers demonstrates the problem.
To make matters worse, law enforcement bodies are now warning that organised criminals and, possibly terrorists, are behind many high-tech crimes. For this reason, they are expecting both the number and the impact of electronic crimes to increase further.
A third factor is driving the issue of security up the agenda: corporate governance. In the US, in particular, legal reforms and director’s responsibilities now mean that businesses that do not properly protect their information assets, including making their best efforts to provide a clean and secure audit trail, will be open to lawsuits and possibily criminal prosecution.
All of this has focused the minds of business executives, and led to a large increase in spending on information security, and just as importantly, a reassessment of risks and of security management throughout the organisation. In 2001, according to market analysts at the Meta Group, 3.2% of all IT spend was on security; in 2003, they say, this figure rose to 8% (although some security budget-holders argue that this is too high).
Back in the mid-1990s, when electronic crime was only just beginning to cause serious alarm, most spending in this area was on firewalls and on ad hoc protection against viruses. Now, the pattern is changing. Companies are seeking to invest in holistic security architectures – entire suites of software and systems designed to deal with any type of threat. Increasingly, too, they are developing sophisticated risk assessment techniques aimed at managing both the human and electronic side of information security.
This is not a trivial matter. That is one reason why, in many large organisations, the IT director has been joined by a security director in a concerted attempt to grapple with the huge array of security problems that are likely to be thrown up in the coming years.