Financially motivated targeted attacks are becoming more prevalent and new vulnerabilities continue to be reported, but 90% of these attacks can be avoided without requiring any increase in security spending, according to Gartner. However, ensuring one’s enterprise is not part of the 10% requires implementing security processes to monitor and manage vulnerabilities and provide strong identity and access management capabilities.

Gartner analysts estimate that the cost of sensitive data break will increase 20% per year through 2009. Gartner says that the average enterprise is spending more than 5% of the IT budget on security and close to 12%, if disaster recovery spending is included. However, Gartner has seen little or no correlation between enterprises that spend the most on security and enterprises that are the most secure.

“The most effective ways to become more secure while reducing security spending are to avoid vulnerabilities — to ensure that security is a top requirement for every new application, process or product, whether built in-house or acquired from a vendor” said Ray Wagner, managing vice president for Gartner.

The approach to security needs to move from a reactive approach to a mix of strategic planning and rapid tactical execution. “The key is to identify major technology changes and start taking steps to reduce the cost of dealing with today’s mature threats — viruses, worms and denial-of-service attacks — to free up funding and manpower to influence the new systems and business processes that are being built today and that will bring on the next generation of threats,” said Pescatore.