Incident Response, Network Security, TDR

IT security budget issues: Fiscal reality

The financial crisis will have a lasting impact, but some organizations have found ways of doing more with less, reports Angela Moscaritolo.

Though the Great Recession is officially over, the country is still feeling its effects. Faced with thinning budgets in 2010, many organizations put on hold any plans to modernize their defensive strategies.

The priority became meeting the minimum industry and government security mandates, says Joshua Corman, research director of the enterprise security practice at analyst firm The 451 Group.

But, for resourceful enterprises, the financial crisis was a lesson in finding ways to do more with less. Take, for example, the IT department for the state of Nevada, which underwent a significant transformation as a result of diminishing financial resources, says Christopher Ipsen (left), the state's CISO.

When the national economy started free-falling in 2008, Nevada's fiscal condition weakened as retail sales and gaming revenue slowed. By the end of 2008, Nevada was officially in a recession, and the state budget was cut by 20 percent.

Before the slowdown, state departments and divisions had enough money to handle information security on their own, Ipsen says. As resources began declining, however, government entities started looking for ways to maximize security spending and to share resources.

“Government is designed to move slowly,” Ipsen says. “As resources diminish, the innovation has to increase to keep up with it.”

Several years ago, the Nevada information security office was formed to support the development and administration of programs throughout the state government. This centralized office is staffed with specialized security pros who assist state entities with endeavors such as e-discovery, penetration testing and incident response. An increased reliance on this resource has allowed government departments to better weather the economic downturn and even improve their security postures, Ipsen says.

“Failure is not an option,” he says. “We are looking at every opportunity to collaborate and ensure we are doing the best job we can with citizens' data.”

However, not all organizations have been as proactive when faced with strained budgets. The 451 Group's Corman (right) argues that security rules, such as the Payment Card Industry Data Security Standard, drove most information security spending during the recession but often mandated the “oldest and least effective” technologies.

“Investments that might have been made in better economic climates weren't made, leaving them exposed to modern adversaries,” Corman says. “My concern is that the threat of fines and penalties that came from compliance regimens taught us to stop doing effective security.”

Further, he worries that organizations have fallen into the practice of striving for only a minimum level of security and may continue to do so, even when budgets improve.

Danger from within

While the financial crisis has left many organizations ill-equipped to thwart modern attackers, it has also exacerbated the prevalence of threats emanating from within. Cyberthreats from external sources are still the dominant vector, but internal threats more than doubled last year, according to a report released in July by Verizon Business and the U.S. Secret Service. The 2010 Data Breach Investigations Report, which takes into account 900 breaches probed by Verizon and the Secret Service last year, found that 48 percent of data leakage incidents were linked to insiders, an increase of 26 percent over the previous year.

Faced with the prospect of losing their jobs, many trusted employees and business partners have turned to cybercrime, experts say. “[Employees] know their account might be worth money if they can find an outlet to sell it,” says Bryan Sartin, director of investigative response for Verizon Business.

Business authentication credentials have replaced credit and debit card numbers as the new favorite in the cybercriminal underground, he says. Employees' VPN login credentials can nowadays fetch anywhere from $20,000 to $60,000 per account on the black market.

In its data breach investigation case–load, Verizon Business noted an increase in “insider collusion,” by which external cybercriminals partner with insiders who agree to participate in the attack, Sartin says. Often, a disgruntled insider with access to sensitive information will act as an enabler by providing outside cybercriminals with authentication credentials.

In the end, there often is no way to pin the crime on the external perpetrator, so the insider winds up taking the fall and may never even get paid, Sartin adds.

Overall, 48 percent of all breaches in 2009 were attributed to users who abused their rights to access corporate information for malicious purposes. In addition, 90 percent of insider threat cases resulted from deliberate malicious activity, while unintentional activity or inappropriate conduct each accounted for six percent.

Sartin says these changes in the threat landscape will likely last for another few years. “It is clear that attackers have settled into a new strategy that works, and the good guys have some catching up to do,” he says.

Still, most organizations today focus almost entirely on mitigating external threats, says Chester Wisniewski, senior security adviser at anti-virus firm Sophos Canada. “There is almost no focus on internal controls in the companies I have seen,” he says. “The reality is that the internal person poses a much greater risk of stealing the right data.”

However, Nevada's Ipsen says that in times of economic hardship, there is greater concern about insider threats, particularly if an organization has to lay off staff. But, he says, organizations should be mindful of insider threats even when the economy improves.

“We take insider threats very seriously,” Ipsen says. “It is not specific to government or economic times. It is a reflection of effective security practices.”

Access control

For Nevada, one of the most important aspects of mitigating potential insider threats is ensuring separation of duties so that any one employee does not have too much control over any aspect of the enterprise business system, Ipsen says.

Verizon's Sartin adds that in times of layoffs, simply revoking employee access in a timely fashion could eliminate the vast majority of insider malfeasance.

Nevada might have addressed the challenge of insider threats, but in terms of fiscal concerns, the state isn't out of the woods just yet. Two years after its budget was slashed by 20 percent, the state is again facing potential shortfalls, with some projecting budget cuts as large as 45 percent for fiscal year 2012-13.

Ipsen says that regardless of what happens with the state's budget, he will continue to look for ways to improve security capabilities and reduce costs through effective intergovernmental collaboration. Just as important, he plans to keep stressing the business benefits of security to elected leaders and encourage executive sponsorship of future projects.

“IT is the business enabler, and IT security is the IT enabler,” he says.

And with signs that the national economy is beginning to recover, Ipsen hasn't given up hope that economic conditions will improve in the Silver State. Nevada's economy is reliant on the condition of the national economy and can recover quickly if there is a rebound in gaming revenue and sales taxes. And, for Ipsen, that's a good reason to invite people to visit the state.

“Come to Vegas or Reno or Tahoe,” he says. “We are eager to have you here!”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.