Today's enterprises are not spending their security dollars wisely, often shelling out vast sums to protect their least-sensitive digital information while ignoring common risks like insider threats and paper theft - a situation that security experts insist is likely to get worse over the next four years.
Recent research conducted by analyst firm Forrester indicates that organizations are spending millions on security, but not in the areas where the risk is greatest.
"There has been a lot of spending on network security, but the perception is there is not a lot of risk in that area," says Forrester senior analyst Tim Sheedy. "But there is very little spending around insider abuse, social engineering or even paper theft, which are major risks to the organization."
Sheedy claims that in a few years IT security will be measured much like other business metrics. Businesses will be able to factor in the actual information security risk, based on factors such as employee behaviour, system readiness and the financial ramifications of employees who expose an organization's most sensitive information - either willingly or by accident.
"Putting actual metrics - and particularly financial metrics - around security is going to be a major trend," Sheedy said. For example, Sheedy suggests firms will be able to gauge the financial implications of employees who are not trained in certain security protocols.
"You could state because 20 percent of employees operate in an [insecure] way, they represent a $300,000 risk to the organization," he said.
Mark Pullen, country manager of RSA Security, said enterprises are not ready for the security threats of the future. By 2010, says Pullen, industries like retail, construction and finished goods will have to deal with the same online nasties that plague online banking today - and most won't be ready.
"It will take bankruptcy for many organizations to take security seriously," Pullen says.
"Within 37 months I think there will be a public company either forced into chapter 11 (US bankruptcy code) or forced into bankruptcy in Australia because of a security breach that either resulted in goods being stolen from them or an incident with such an impact a company is forced to shut down," he said.
"People are not ready for these threats," he added.
According to Pullen, when it comes to threats like phishing and malware, the enterprise's greatest enemy is time - the time between when an e-mail is sent out and when online fraud is committed.
"If you can cut down that time and shut down an attack, it massively reduces the ability for phishers to steal money," Pullen said.
"The security skills shortage will eventually drive the adoption of modern technology to do the basics of security that people will need to do."
Ben Guthrie, Trend Micro's product and marketing manager, thinks that the biggest challenge to information security in 2010 will be how to address threats over Web traffic.
Guthrie said protecting the flow of information over both HTTP and FTP is crucial, since these protocols are used for the majority of spyware and similar types of attacks.