By Neil Roiter. Senior Technology Editor, Information Security magazine
23 Mar 2009 | SearchSecurity.com

More than 60% of midsized and large enterprises in the U.S. and Western Europe are either outsourcing or considering outsourcing at least part of their security operations, according to a recent survey.

The Symantec survey of 1,000 companies with a median size of 10,000 to 25,000 employees showed that about a quarter were now using managed security service providers (MSSPs) or some other form of outsourced security. Another third are either evaluating outsourced security or plan to do so over the next 12 months.

Dollars and head counts don’t tell the whole story, however. Many companies reported difficult finding and hiring people with the required security skill sets. Accordingly, nearly half the respondents cited access to expertise as a reason to adopt or evaluate outsourcing.

The findings mirror Symantec’s own experience, says Grant Geyer, vice president of managed services at Symantec.

 ”Customers come to us for three reasons,” Geyer said. “They don’t have staff or expertise to handle security in house; they have the staff, but want to keep them focused on more strategic projects; or they have had a breach, have a gap identified and quickly need to shore up the walls.”

 Not surprisingly, reducing overall costs and mitigating security risks were also frequently cited reasons for outsourcing. Enterprises also cited (in descending order) predictability in expenses, the burden of regulatory requirements, focusing in-house IT resources on the core business and easing staffing challenges.

Image source: http://www.conexio.com

” Cyber-invaders.”  That’s what Sen. Bill Nelson (D-Fla.) calls the hackers who have already twice this month broken into two PC workstations used by several of his key staff members.

Sarah Rubenstein writes in today’s Wall Street Journal about the Obama Administration’s appointment of Harvard’s David Blumenthal to be its guru in charge of rolling out its big expansion of health IT (HIT).

Image source: AP/Stew Milne

“As national coordinator of health information technology, Blumenthal will have at his disposal the $19.5 billion dedicated to health IT in the recent economic-stimulus package. He has headed the Institute for Health Policy at Massachusetts General Hospital/Partners HealthCare System in Boston…

“… For many doctors, especially those in solo or small practices, [Health IT] “conjures [an] image… of a waiting room full to bursting, a crashed computer, and a frantic clinician on hold with IT support…”"

“In the present U.S. political context, a bottom-up strategy for spreading HIT may be the only viable option,” they wrote, “but it would be unfortunate if this approach hardwired into our health information system the administrative inefficiencies that plague other parts of our health care system.”

The stimulus bill calls for the government to establish standards to help avoid that sort of fragmentation. Other methods to improve administrative inefficiencies include ongoing training and education regarding the new HIT protocols coming down the pike.

In honor of Fraud Prevention month, Tom Rittman’s new whitepaper, featured on LossPrevention Magazine’s website, speaks to the importance of protecting retailers’ bottom lines with Fraud Prevention…

“It’s no secret that sales are down,” says Rittman. ”However, what many retailers don’t realize is that the rise in fraudulent and abusive returns is a contributing factor, costing them millions in profits. In fact, according to the National Retail Federation (NRF), returns and exchanges increased almost 20% over the past year. More and more, desperate consumers are using returns as “the new cash” creating a devastating effect on unwary retailers.”

In short, retailers must be proactive if they are to protect themselves from fraud and abuse, especially in today’s economic climate. Rittman suggests implementing a variety of approaches for fraud prevention, including:

• Proper Training – Work with staff to properly train them on company return policies and to follow up that they  are utilizing those guidelines. This includes warning employees of the ramifications if caught processing fraudulent returns.
• Utilizing Technology – Implement return authorization programs such as Verify-1 to prevent fraudulent return activity, take the subjective nature out of the return process and protect customers’ privacy.
• Adequate Staffing – Provide proper staffing to increase positive interactions with customers as well as to deter fraud.
• Education – Remain updated on the latest fraud trends and work closely with staff to employ prevention strategies.
• Learning from Peers – Join a retail trade association like NRF or RILA and leverage the loss prevention expertise of your peers.

Rittman’s article illustrates that training and education are two key components to help your organization proactively  prevent fraud and potentially save thousands of dollars.

According to an article in today’s Wall Street Journal, “U.S. agencies from the Pentagon to the Department of Homeland Security have experienced major cyber-break-ins in recent years, even into classified systems. Cyberspies also have siphoned off critical data from Pentagon contractors, including one breach that cost a major aerospace contractor $15 million.”

Annual U.S. losses from cyber breaches are estimated to be in the billions of dollars, and there is legitimate concern that a nuclear power plant or subway line could be hacked via the Internet; or data being breached at the nation’s larger financial firms.

According to the WSJ, “Anticipating the demand, defense companies are bolstering training, buying smaller firms and hiring former top government officials. The move into the cyber-security field could offer new revenue streams for the contractors and help offset declines stemming from budget pressures on the Defense Department’s traditional weapons systems.”

However, third-party contractors also need to watch their own network security, said Tom Kellermann, a vice president at Core Security Technologies, citing a Verizon report last year that found 39% of cyber breaches implicated contractors and other third parties.

The bottom line is that, in order to provide true value in the cyber security arena, Government Contractors must not only provide technology solutions, but also ongoing training and education.

After all, “technology tends to be a reactive measure… Technology is a great thing once we’ve understood the processes, policies, and procedures that we want to use… but you can’t start with technology… If you [do], you’re bound to fail”- John Pironti, BankInfoSecurity Interview, 11/6/07.