The cyber-security industry is on Defcon 1 high alert.
The recent rash of attacks on dozens of websites including those of the CIA, the FBI and even PBS is roiling the security industry and increasing demand for cyber-defense experts.
“Every time one of these breaches makes the news, I will tell you, my phone rings off the hook,” said Chris Novak, a manager of Verizon Communications Inc.'s Investigative Response Team, which now has nearly 100 members, more than double from a year ago.
With the surge in attacks in recent months, Novak sees the team tripling in size this year. The unit investigates Internet break-ins for companies around the world. Lately, its command center, where it monitors hacking activity, “has been extremely busy,” he said.
The business of protecting computers and servers from intruders has been growing nearly 10% a year since 2006, but security industry officials say 2011 may be the busiest yet. Companies are expected to spend $75.6 billion, easily surpassing last year’s record of $63 billion.
Security and data breaches have cost U.S. companies nearly $96 billion in just the first six months of the year, almost as much as it cost them in all of 2010, according to the Ponemon Institute, a research group that studies Internet security. The costs include spending on security experts and investigations, loss of work caused by a breach, system software upgrades and the value of stolen intellectual property and funds from bank accounts.
Sony has alone estimated it will lose more than $170 million from hackers breaching its PlayStation Network in April and stealing credit card information of its 70 million members. The damage includes loss of revenue and additional spending on security enhancements and legal fees.
“And we’re only aware of the ones that have been discovered,” said Larry Ponemon, chairman of the Ponemon Institute. “That’s the scary thing.”
In the last year, 90% of businesses have suffered at least one security breach, and more than half had at least two, according to a separate Ponemon study sponsored by Juniper Networks, a networking security firm.
“What we’re seeing is not a matter of if,” said Johnnie Konstantas, a security expert for Juniper. “It’s when will an organization be hit.”
The first quarter saw the most incidences of so-called malware ever, according to security company McAfee Inc. At least 6 million new kinds of malware were detected, up from about 4 million in the same period last year. The malicious software, often downloaded unknowingly by the user, slows down a computer or wipes out files on the hard drive.
Security worries have intensified with the rash of attacks by a hacker group calling itself LulzSec. The group went on a 50-day rampage across the Internet, striking the websites of the CIA, the FBI, the U.S. Senate, Arizona police and a British police agency, among others.
The hacker group, which also attacked the websites of Sony, Fox, PBS and Nintendo, various porn websites and multiple video game servers and websites, stole and published the account information of hundreds of thousands of individuals.
The high-profile attacks on recognizable brands have intensified calls for beefing up Internet security, industry observers say.
“Once it starts happening to big enterprises and it gets to the media, it gets the attention of chief executives,” said Mickey Boodaei, CEO of Trusteer Corp., a security firm specializing in shielding companies from targeted hacker attacks. “And that’s when enterprises are starting to look for solutions.”
With the stepped-up demand, salaries for security experts are expected to grow, said Ron Delfine, the director of career services for the cyber-security program at Carnegie Mellon University’s Heinz College. So far, the pool of students with cyber-security majors or concentrations has lagged behind demand.
“If companies are going to want to get these students,” he said, “those salaries are going to go up because they’re going to want to pay them more a little bit more money to attract them to their organizations.”
The average entry-level salary for cyber-security graduates coming out of Heinz College has increased steadily, from $69,788 in 2007 to $80,275 in 2010. Delfine said he expected the salaries to continue to increase.
“These types of attacks illustrate how important it is for an organization to take security very seriously,” said Matthew Prince, CEO of CloudFlare, a San Francisco start-up that improves websites’ security and performance.
Many companies don’t currently have specific people focused on security, often leaving that responsibility to IT administrators. About 1.9 million people dabble in security issues, but only about 346,000 are fully dedicated security specialists, according to Ponemon.
But after the recent string of attacks, more organizations are expected to begin beefing up and allocating more money toward their security, said Eric Kinsey, a recruiter of cyber-security professionals.
“Now with the emphasis on all the hackings, a lot of organizations are carving out a specific role for this type of skill,” he said.