Financially motivated data breaches are set to cost businesses 20% more each year until 2009, Gartner analysts have said.

John Pescatore, VP at Gartner, said the biggest risk to organisations came from targeted attacks. He added that “phishing and identity theft attacks have caused the rise of ‘credentialed’ attacks, in which the attacker uses the credentials of a legitimate user”.

Malicious software (malware) attacks allowed internal executables to be used to forward information to an external attacker, Pescatore warned. “Being aware of ‘inside out’ communications and being able to block those as effectively as ‘outside in’ is becoming increasingly important,” he said.

It was important to make sure that security strategies reduced the cost of dealing with mass attacks, Gartner advised, in order to free up budgets for the next generation of security attacks.

The average business was spending more than 5% of its IT budget on security, and another 7% on disaster recovery, Gartner calculated.

The analysts also reckoned 90% of targeted attacks could be avoided without an increase in firms’ security budgets, and said the investments that enterprises had made in intrusion prevention, vulnerability management and network access control had largely paid off.

But there was little or no correlation between organisations that spent the most on security and organisations that are the most protected, it said.

Gartner said the most effective way to become increase the efficiency of security spending was to avoid vulnerabilities by ensuring that security was a top requirement for every new application, process and product. It was also important to establish security metrics to measure spending efficiency.

It advised firms to take a proactive approach to security, by using a mix of strategic planning and rapid tactical execution.

Also read:

Mac OS and Linux 'may have web security problems too'

Financial institutions spending on security and governance

Severity of security breaches worsens