With economic gloom dominating the headlines, it is tempting to rush to batten down the hatches and ride out the storm. Budgets are harder to come by and every item of expenditure needs greater justification.

It is a time of great uncertainty, but one thing that is sure is that security threats will continue to rise. Data loss remains a key concern—in 2008 more than 30 million data records were lost by the UK government alone, and each such loss could put each individual concerned in danger of having their identity stolen. Spam is becoming increasingly malicious and web sites are being attacked more and more frequently as other vectors of attack are closed through point security solutions.

Quocirca recently spoke with a leading European retailer to discover what its priorities are for 2009. As a retailer, one of its prime concerns is to achieve compliance with the Payment Card Industry (PCI) regulations regarding data security. While no hard-and-fast deadlines have been set in Europe for compliance, the acquiring banks are demanding progress to achieve compliance and may start to impose fines—something that is already being seen in the US, where compliance is now mandatory. For any organisation handling credit card payments, achieving PCI compliance will be a major focus for technology budgets.

Further than that, some big projects will just have to wait. But there are certain things that cannot be delayed. For this retailer, the priority will be placed on technology investments that will help to keep the attackers at bay. As research undertaken by Quocirca during 2008 shows (Why application security is essential, sponsored by Fortify Software), organisations are increasingly writing their own software applications or modifying off-the-shelf software packages and this is no different for this retailer. But software applications are increasingly being targeted by hackers who are trying to get their hands on the sensitive data contained in those applications.

For this reason, security investments in 2009 will be focused on protecting those applications from attack. According to the retailer, key areas for investment will be event correlation to help predict and prevent infrastructure problems, vulnerability scanning for applications to detect security weaknesses, intrusion prevention systems, and penetration testing, in which computer systems or networks are probed using techniques that a hacker would employ to seek out vulnerabilities that could be exploited. But, as the retailer cautions, any such investment needs to cover all systems and networks—if it is not scalable and does not cover the entire estate, funding will not be made available.

So, it looks like compliance and keeping hackers at bay will be the areas in which most security investments are likely to be made during 2009. But there is one other area of investment that many organisations are undertaking and that is in security awareness programmes for employees. According to the retailer, awareness training is vital so that staff are made to realise the damage that they can do not only to themselves, but also potentially to the organisation, through poor security practices. This programme is now in place with this retailer regularly sending out related communications and messages using a variety of channels.

But, as the retailer emphasises, this is not a one-off exercise, but rather something that must be continuously supported so that complacency does not set in.

So it would seem that the canny organisations will not be burying their heads in the sand but will be looking to continue to invest to protect themselves from security threats. In this way, organisations may actually save money that might otherwise have been spent clearing up after a security incident that could have been avoided. Compliance with legislation will also continue to drive technology spending - and the regulatory burden is likely to increase, not get less. But, as the example from this retailer shows, it is just as important to teach people to protect themselves and investing in security awareness programmes is likely to pay off in terms of reducing threats caused, albeit unwittingly, by employees themselves. An ounce of prevention is worth a pound of cure.