Security: Are you spending enough?

Dennis Brandl, BR&L Consulting -- Control Engineering, 11/1/2004

One problem with writing about network and computer security is the speed at which the threat changes. In the few weeks that separate my writing of this article and its appearance in print, there will probably be another large cyber attack and multiple stories about how companies are not doing enough to ensure computer security.

To appreciate the increased emphasis now being placed on computer and network security by companies of all sizes, consider these attack facts from SecurityStats.com: an unprotected server placed on the Internet in mid-2003 was attacked 467 times in the first 24 hours; that same server detected 626 attacks in the three weeks following its first day on the Internet; the SQL Slammer worm required only 10 minutes to spread worldwide, doubling in size every 8.5 seconds; remediation costs of the MS Blaster worm were estimated at nearly $500,000 per company, with large companies reporting losses in the millions; at its peak, one in 12 e-mail messages on the Internet were sent by the MyDoom virus; PC viruses cost businesses an estimated $55 billion dollars in 2003.

Usually a company's firewalls and security devices protect the corporate intranet and the operations and automation networks. However, it is still advisable to separate operations and automation networks from corporate intranet using firewalls, VLANs, or physical separation. Automation and operation systems are often mission-critical systems. This means they must remain operational for production to continue. Unfortunately, these systems often are not running current virus protection and current patches, but not due to a lack of effort on the part of manufacturers. In 2003, Microsoft released 51 security advisories across all products—about one patch per week—to help counter the new viruses and worms that are released daily by cyber-vandals.

All of this begs the question: What is the right amount to spend on security and related network infrastructure?

According to several public surveys, security hardware, software, and personnel seem to comprise about 4% of IT budgets. Some industries, such as financial organizations and universities with mission-critical IT infrastructures, spend more—averaging about 7% of their IT budget (up to 20% in a few cases). An additional 7% is being spent on network infrastructure, with some of that money earmarked for security issues. META Group (an IT analyst organization) estimates the average security investment will peak at 8% to 12% of IT budgets in the United States by 2006. The security portion of IT budgets is split about one-third each on security hardware (firewalls, intrusion detection systems, e-mail scanners, etc.), security software, and security personnel.

Based on industry standards for mission critical applications, the average manufacturing IT organization should be spending about 5% to 10% of its manufacturing IT budget on security. This is a comparatively small percentage and easy to forget or ignore in capital projects and yearly budgets. However, security costs must now be figured into expenses, much as insurance is now, because these costs represent a pure cost with no tangible return until they are needed. Then it definitely becomes money well spent.

For further reading on this topic, see the NIST "Introduction to Computer Security" handbook at http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf.