By Andy Kellett, senior analyst

(11.19.09) According to widely reported statistics the U.K. economy continued to shrink between July and September this year making the recession the longest since records began.

And while there is evidence that other European economies are beginning to show the first positive signs of recovery, all countries within the European Union continue to suffer from rising levels of unemployment.

At the beginning of the downturn it was recognized that businesses would shed staff, and that due to the technology skills that many employees possessed, reprisals against corporate systems were likely.

Therefore, six quarters down the line, it is relevant to see how well businesses have fared in their attempts to keep corporate information systems safe, and to investigate how constraints on IT spending have impacted corporate protection strategies.

Anecdotally, data theft is on the rise, with the number of instances of data losses growing significantly over the last two years. This is not at all surprising given the current trading circumstances and also the ease with which data can be moved across business boundaries.

However, given the time that has elapsed since the start of the downturn, it is clear that not enough has been done to address key information security shortfalls.

A new Ernst & Young global information security report bears out this argument. It highlights specific areas where under-funding of security investment and poor levels of resourcing have resulted in major business-protection concerns.

However, the survey in its introduction states that not everything falls into the category of 'doom and gloom', and indeed some results are said to be "encouraging in that many organizations are now taking a more holistic view of security and focusing on the overall health of their information security programs."

That said, the survey also reveals: "the lack of adequate budget and resources continues to be a significant challenge". The report says senior managers are under pressure to cut costs and to rely on already-deployed security systems, and embargoes on recruitment mean they are not expected to be able to attract fresh talent.

The report provides specific areas of concern that are expected to have a direct effect on security cutbacks. These include a 41 percent rise in respondents who reported an increase in the number of external attacks, a figure in line with our own experiences and the growth of the latest fraudulently motivated attack models.

Importantly, 25 percent witnessed an increase in internal attacks, with a 13 percent increase in internally perpetrated fraud. Of the respondents, 75 percent said they continue to be concerned about potential information theft opportunities from recently departed employees, suggesting little confidence in the protective actions that have so far taken place.

While the survey clearly shows that levels of internal and external risk continue to rise, spending levels on key areas of information protection are failing to keep pace, irrespective of associated technology usage risks.

On the theme of business efficiency and cost-reductions overriding security needs, the report identifies that 78 percent of organizations will have implemented virtualization technologies before the end of next year.

Amazingly, only 19 percent of those organizations indicated that virtualization is a security priority, leaving systems and information protection to continue to play technology catch-up.

Protecting an organization or a government department's reputation by ensuring that its information systems remain secure is not an easy task. Technology through the use of good quality security has an important role to play.

However, organizations persist in making the same mistakes by continually underplaying the need for forward-looking protection. It is only at the point where existing loopholes are exploited, information is lost, and the overriding need for protection is proved, that the minister responsible or the director in charge is required to say that lessons have been learned and the same mistakes will not be made again.

If only that were true. ENS