Financially motivated targeted attacks are becoming more prevalent and new vulnerabilities continue to be reported, but 90 percent of these attacks can be avoided without requiring any increase in security spending, according to Gartner. However, ensuring one's enterprise is not part of the 10 percent requires implementing security processes to monitor and manage vulnerabilities and provide strong identity and access management capabilities.

"The biggest attack risk to enterprises comes from targeted attacks," said John Pescatore, vice president and distinguished analyst for Gartner. "In addition, phishing and identity theft attacks have caused the rise of 'credentialed' attacks, in which the attacker uses the credentials of a legitimate user."

"Malicious software (malware) attacks also allow internal executables to be used to forward information to an external attacker," Pescatore said. "Being aware of 'inside out' communications and being able to block those as effectively as 'outside in' is becoming increasingly important. Security strategies must reduce the cost of dealing with mass attacks to free up investment and personnel resources to evolve capabilities for dealing with these more-complex targeted attacks."

Gartner analysts estimate that the cost of sensitive data break will increase 20 percent per year through 2009. While mass attacks such as worms and viruses have continued, the investments that enterprises have made in intrusion prevention, vulnerability management and network access control have paid off, as those simple mass attacks have succeeded much less often. However, the attackers are now more financially motivated and have launched new waves of attacks that, when successful, cause enormous damage to the bottom line, but that often go unreported.

According to Gartner, the average enterprise is spending more than 5 percent of the IT budget on security and close to 12 percent, if disaster recovery spending is included. However, Gartner has seen little or no correlation between enterprises that spend the most on security and enterprises that are the most secure. While there are definite areas that require additional investment, there are just as many areas of security that can be done more efficiently.

"The most effective ways to become more secure while reducing security spending are to avoid vulnerabilities -- to ensure that security is a top requirement for every new application, process or product, whether built in-house or acquired from a vendor," said Ray Wagner, managing vice president for Gartner. "Just as important is understanding where security funds are being spent and where that spending is effective or ineffective. Security metrics should be established for all major security spending areas."

The approach to security needs to move from a reactive approach to a mix of strategic planning and rapid tactical execution. "The key is to identify major technology changes and start taking steps to reduce the cost of dealing with today's mature threats -- viruses, worms and denial-of-service attacks -- to free up funding and manpower to influence the new systems and business processes that are being built today and that will bring on the next generation of threats," said Pescatore.