Your CIO just approved your quarterly budget. And you, running the shop, automatically dish out the spending to IT security on network security. That's where hackers are attacking, yes?
Well, right and wrong.
According to Oracle, which reported its latest research in IT security spending on Monday, the majority of enterprises are allocating their IT security resources on networking equipment rather than the server banks that store vast amounts of corporate and user data.
Out of the 110 companies surveyed by Oracle — from financial services, government, and high-tech sectors — close to 66 percent believe they apply an "inside-out" strategy, which leaves most resources allocated to protecting the networking layer. Meanwhile, less than one-quarter of the staff and budget resources are dished out to protecting the core storage units, servers, applications and databases.
Just shy of half of all respondents said that databases were safe because they were embedded deep within the confines of the security perimeter.
Except, we've all seen data breaches to the contrary splashed across the online news. Take Dropbox, for instance.
"A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses," Dropbox vice-president of Engineering Aditya Agarwal said in a blog post in 2012. The hacker didn't have to burrow underground or blast open a door with C4 explosives — they basically walked into Dropbox's Fort Knox with the keys in hand.
And that's just one example. There are many breaches, in fact, that rely on the weaknesses of user passwords, rather than the ability to specifically target an exploit a zero-day vulnerability in a corporate system.
Other snippets from the report include:
- 90 percent report the same or higher spending in IT security on the 12 months prior
- 40 percent of organizational respondents said an "unbalanced" and "fragmented" approach to security left applications, and corporate and user data vulnerable to both outside threats and internal data breaches
- Almost two-thirds of companies plan to boost spending in the following year
- More than one-third of organizations' security spending went up based on news
reporting and "sensational sources" rather than internally-identified organizational risks
Oracle chief security officer Mary Ann Davidson said in prepared remarks: "Organizations can't continue to spend on the wrong risks and secure themselves out of business. When attackers do break through the perimeter, they can take advantage of weak security controls against the core systems by exploiting privileged user access, vulnerable applications, and accounts with excessive access."
"Organizations have to get the fundamentals right — which are database security, application security and identity management."