Seventy eight percent of corporate executives report that computer security is now the single most critical attribute of corporate networks, according to a new survey and report on networking and business strategy from AT&T in co-operation with the Economist Intelligence Unit (EIU).
Security moved to the top of the list from its number two spot in the 2003 survey, replacing network reliability and availability as the most critical network attribute.
The EIU survey of 254 senior executives worldwide on the future of corporate networking reported that although businesses worry about security, the vast majority of executives want to further open up their networks to partners, customers and mobile workers. Much to the chagrin of many information technology (IT) executives, it is a network's openness that can also increase its vulnerability.
"In a global networked economy of Internet connectivity and
interoperability, isolation leads to irrelevance for enterprises that can't protect their networks," says Hossein Eslambolchi, president of AT&T Global Networking Technology Services. "Unless security is managed effectively, executives are right in thinking that cyber attacks may yet prove the toughest threat to the sustained development of the networked enterprise."
The worldwide impact of cyber attacks has grown steadily from $3.3 billion in 1997 to an estimated $12 billion in 2003, according to Computer Economics in Carlsbad, California. As a result, protecting networks against malicious intruders and unauthorized activities has become critical to business. The spiraling threats of cyber attacks and increased vulnerabilities are resulting in rising costs, causing network security spending to outpace overall IT expenditures. On average, the firms in this survey devoted 9 percent of the IT budget to network security in 2002; the figure rose to 11 percent last year and is expected to reach 13 percent in 2004.
These and other findings are presented in a new report called Network security: Managing the risk and opportunity, which is now available at www.business.att.com/emea/english/whitepaper.
The survey respondents reveal a clear link between their firms' technology-related goals and their chief information vulnerabilities.
More than 80 percent of all the executives surveyed believe that their goals of giving remote workers access to corporate networks and improving the availability of customer data and financial details to employees leave their firms vulnerable or extremely vulnerable to security threats.
The biggest vulnerability of all appears to be people. The survey respondents believe that 83 percent of attacks originate internally, stemming from such actions as internal sabotage, espionage or accidental mistakes.
An astonishing admission is that 78 percent of respondents admitted to having opened an email attachment from an unknown person within the last year. Security spending itself is likely to shift focus over the next few
years, moving from layers of perimeter protection and intrusion detection -- which are ultimately untenable as organizations enable more electronic transactions and communication -- to new and better tools aimed at prevention of attacks and a quicker mitigation and remediation of those attacks that happen.
Many firms are turning to managed security service providers to address their increasingly complex security needs. A full 32 percent of survey respondents already use or plan to use managed security services in the next two years. Another 14 percent intend to use them in the long term. However, 70 percent of these firms are small and medium-sized companies.
Turning to managed security service providers is not the only departure from conventional practice wrought by the escalating security threat. The research points to two significant changes in governance: the CEO is increasingly taking ownership of network security policy in some companies, and in others, a relatively new role, the chief security officer (CSO) is emerging. "For any company, it is virtually impossible to ensure protection of assets without one person owning the focal point," says Ed Amoroso, information security officer at AT&T. "It is time that boards start recognizing that a chief security officer is about as important as a comptroller."
The report Network Security: Managing the Risk and Opportunity is the second in a series of four thought leadership articles written by AT&T in co-operation with the Economist Intelligence Unit on the future of networking.
Subsequent papers will examine the topics of remote working and Voice over Internet Protocol.