The Price of Security

Report: Companies concerned about online security, but not enough to boost spending

New York -- October 11, 2001 -- While U.S. executives are concerned that Internet security breaches could affect consumer trust and confidence in their companies, spending on online security systems remains a low priority because corporations undervalue the data collected by their Web sites, according to a new report from information technology consultancy Jupiter Media Metrix.

A Jupiter survey of 471 information technology (IT) executives revealed that although only 12.1 percent of U.S. companies with a Web presence cite direct financial loss as a concern of suffering an online security breach, more than 40 percent are concerned about the impact that an online security invasion has on consumer trust and confidence.

The consultancy asserts in its report, titled "Enterprise Security: Managing Services for Maximum Coverage," that while these "soft" concerns speak well of customer-focused operations, companies have not assigned a direct financial value to the concerns and therefore have planned for low growth in security spending.

According to the Jupiter executive survey, conducted in July, 49.5 percent of Web site managers and chief information officers (CIOs) consider the sensitivity of their site's data as "low." Jupiter analysts assert that this is a dramatic undervaluing of assets.

The new survey also found that 29 percent of Web site managers and CIOs rate their risk of attack as "low," while nearly a third of these managers classify their data sensitivity as "high." Jupiter argues that any business bothering to support a Web site should be concerned about an attack, and those who admit that their data is valuable to others should be doubly concerned.

"While Code Red and other highly-publicized security breaches have filled headlines, most Web site managers are not particularly concerned about the security of their site's data," said David Schatsky, a senior analyst and research director at Jupiter. "There is a fundamental lack of understanding out there when it comes to the gravity of security breaches. As businesses consolidate their enterprise data, it becomes easier for attackers to reach. Even if files on the Web server itself are relatively inconsequential, a hacker can reach through customer-facing applications to data used by other systems."

To be prepared, stay abreast of the latest developments in site security and fend off unwanted online attacks, Jupiter analysts advise companies to outsource large portions of their Web site security initiatives to third parties.

"Do-it-yourself security is short sighted," Schatsky said. "If you're talented and lucky, you can get by in a pinch, but it's going to catch up with you. Security services should absolutely be monitored and managed internally, but you need expert advice, cutting-edge technology and a 24-hour emergency response team to make it work."

Respondents to the executive survey, totaling 471 individuals, included CIOs, chief technology officers and director- or vice president-level executives in charge of IT at companies with annual revenues greater than $50 million.