• silicon.com
• Technology
• Security

By Tom Espiner, 22 June 2009 17:07

NEWS

IT security has been neglected due to the economic downturn, according to security experts.

Bruce Schneier, BT's chief security technology officer, told a European Network and Information Security Agency (Enisa) event on Friday that organisations are struggling to keep on top of workloads that have increased due to layoffs.

"Times are tough, even for criminals," said Schneier. "Organisations are dealing with more disgruntled employees - the people you are firing. People in organisations are doing a lot more fire-fighting. IT security has fallen by the wayside, because you're not getting something done - it's preventative."

Schneier said people view IT security as any business activity - by its results. However, IT security, when it is successful, does not have any tangible results, so people focus on measurable outcomes.

"People view business in terms of what it will do for me today," he said. "When it comes to [activities such as] updating firewall settings, people say 'We'll do that when we have time'."

This lack of tangible results can lead to security budgets being cut, said Schneier, especially if the IT security capability has been so good it has prevented incidents.

"This happens in IT security all the time," Schneier said. "If you're doing really good, people will say 'We don't need you, because there have been no incidents'. Justification for IT security requires a level of abstraction."

Schneier said organisations that are reducing their staff levels, for example by 15 per cent, would think it right to reduce their security capability by 15 per cent. However, Schneier said this reasoning was flawed.

"It seems logical you can reduce security by 15 per cent but it turns out not to be the case," said Schneier. "Because of redundancies, companies are becoming leaner, and IT systems are becoming more critical to the business. I'm seeing security groups being asked to harden systems because they are more business critical."

Chris Potter, a partner at auditors PricewaterhouseCoopers, said incidents tend to happen every three to four years, which means people downgrade the risk.

"Over time risk assessments deteriorate," said Potter. "That window of three to four years is a long time in the corporate memory."

Potter added that organisations that have invested in automating computer processes have been the most resilient through the recession.

"The more organisations have invested in automating where they can, the less they have been affected by the downturn," said Potter. "Organisations that are less mature have been the most affected."