Fallback Plain Failures

Judging the threats posed to computer security, and how to combat them, has never been more complicated. What are the big threats, and what do you have to do to be prepared in 2006.

5 - Backup Tape Losses

At the most basic level, recent publicity about the loss of tapes containing consumer data focuses attention on the need to physically transport tapes to a backup location or credit bureau in a safe and secure manner.

By using encryption, companies can also make the data encoded on tapes safe from prying eyes, even if the tapes are lost or stolen.

However, encrypting large volumes of data can take hours, bogging down system operations. A successful encryption strategy requires careful management of the mathematical keys used to scramble the data, or else it won't be possible to unscramble it when it's really needed—perhaps when the backup tapes must be decrypted to restore the operations of a business in the wake of a disaster. In some cases, specialized computer appliances for encryption and decryption from vendors like nCipher are helping businesses accelerate encryption processing and make it more practical.

Particularly in retail industries that handle a lot of consumer data, information managers are giving more consideration to encrypting that data wherever it is stored, or "at rest" in industry jargon, as opposed to encrypting transmissions over a network.

granted, computer security is expensive. Information security spending has been growing at 16% a year for the past couple of years, while overall information-technology spending has only been growing 4% a year, according to Gartner. As a percentage of revenue, corporations are already spending about as much on information security as they are on more traditional ways of managing risk, such as property and casualty insurance, MacDonald says.

But after several years of increasing spending on information security, chief information officers and security officers are going to have to turn their attention to getting more security for less money, according to Pescatore and MacDonald. "We don't believe you have to spend more to be more secure. That's the track that we've been on, but it's not sustainable," MacDonald says.

Controlling costs will require aggressively "operationalizing" the routine aspects of information security by shifting responsibility for those tasks "to people who are good at doing repetitive tasks well," MacDonald says. In other words, you might begin outsourcing management of established security technologies, such as firewalls, and use experienced professionals to figure out, say, which intrusion prevention technologies to deploy.

Security software vendors can also be pressured to reduce costs by combining separate products, such as antivirus, anti-spyware and intrusion prevention, into "converged security platforms," according to the Gartner analysts. Instead of paying $20 to $25 each for antivirus, personal firewall, anti-spyware and other protections, a converged platform will deliver all of this functionality in 2006 for approximately $40 to $50 per machine, Gartner predicts.

So very simple, right? Just protect your company from financial losses, espionage and public ridicule, and do it in the face of new, perhaps more sinister threats—and do it for less. 6 to do's for '06

• Protect against targeted attacks with more advanced intrusion prevention.
• Tighten network access control, both inside and outside the firewall.
• Make sure you know who your users are.
• Deploy more secure software.
• Reexamine how you handle backup tapes and data storage in general.
• Do more with less.