Security in a Recession

With the National Bureau of Economic Research in the United States announcing last week that the US has officially been in recession since Dec 2007, IT budgets are highly likely to be strictly controlled both in the US and in other parts of the world. I had a conversation with a friend over the weekend and he asked me did I expect there to be redundancies in the IT Security industry, as companies could not longer afford to have dedicated Security personal on their books.

To be honest, yes I think there will. However, I also think that the overall IT Security industry will continue to grow in 2009 - the bad guys are not going away anytime soon, and a lot of their existing scams work really well in this economic climate. The companies which take this course of action may well end up regreting it in the long term, and here is my thoughts on why.

All Security at the end of the day boils down to risk management, and the 3 core values every organisation needs to protect are often shown in the acronym CIA (Confidentiality, Integrity, Availability). Different organisation prioratise different areas, e.g. Military value Confidentiality highest, for Banks it is Integrity, etc. I think when it comes to economic downturn Confidentiality and Availability are the most obviously affected.

In terms of Confidentiality we are talking about an organisations private data being protected. I'm based in Ireland where we had 17000 people made redundant in November, but this is a drop in the ocean compared to other countries (particularly the half a million in the US). Insider threats have long been one of the largest risks facing organisations, and especially in the case of the so called "Disgruntled Employee". With large number of employees been made redundant, having their salaries cut, etc there is a lot of incentive for these same employees to engage in Data Theft. When people feel hard done by by their employers, they are more likely to relax their morales, and in a lot of cases would not consider taking confidential company information outside of the company stealing - they feel an entitlement to this information, after all they put X years of work into helping the company grow. The very fact that there are so many Data Leak/Loss Prevention (DLP) solutions on the market should give you an idea of just how big this problem is - and I think the risk of Data Theft/Loss is going to increase in the current climate

Which brings us to the other big one - Availability. Almost every company is currently engaged in examing their costs and reducing them wherever possible. Whether it is in terms of head count or even simply lowering all of the thermostats in their buildings by 5 degrees (my hands are going blue typing this), a lot of companies are walking a very fine line trying to keep afloat for the next 2 to 3 years - even the smallest misfortune could tip the ship.

This is where malware comes in. The recent WORM_DOWNAD.A attack was quite successful in infecting unpatched Windows machines, with a quite a few companies having 1000's of machines infected by the threat. Cleaning a threat like costs a lot of money. In a lot of cases a company may need to pay their IT staff overtime to fix the problem, or bring in external contractors. That's not where the real loss is however. Picture a company of 4000 employees. Now picture all of those employees being unable to use their machines for 3 hours while the systems are being cleaned, repatched and tested. That is 12000 man-hours of work which that company is paying for, and getting nothing in return. To put it another way thats about 6.5 peoples salaries for the year so around 200-250K . There are very few companies that have that kind of money to burn at the moment.

So to any organisations thinking of cutting their security budgets, think long and hard about weighing the short term savings with the potential losses. I wish I could say that there won't be companies that go under because of a malware attack in the next couple of months - but optimism is not exactly in large supply at the moment