Nearly 40 percent of new security spending by businesses in 2007 will be directed towards protecting data, research firm Gartner said Tuesday, indicating a shift from securing the network to shielding information.

Increasing incidents of data loss, the rising costs associated with each incident, and the public disclosure that companies have to make after a data breach have led to the change, said Gartner.

“The rate of data breaches has increased materially over the last two years,” said Rich Mogull, vice-president of research, Gartner. “There’s more information out there than ever and there’s actual financial value attached to that data, which has attracted the bad guys.” 

For companies, data loss can be expensive. When customer data is stolen or misplaced, it can cost businesses more than $90 per exposed account counting legal expenses, clean up and recovery, and communications costs, said Gartner. And that’s not counting the damage to the comapanies’ reputations from the public disclosure of the loss.

“If you are a company that has lost 55,000 records, then it can work out to more than $5 million in financial losses for you,” said Mr. Mogull.

Incidents of data theft have been dominating the headlines for more than a year now. Last year was labeled a banner year for data leaks as some of the United States’ largest financial and retailing giants had sensitive customer data lost or stolen.

In March, hackers broke into CardSystems, a credit card processing company, exposing the details of 40 million credit cards. The resulting $1 billion in losses nearly put the company out of business (see CardSystems Bought (Again)).

The same month, more than 1.5 million consumer records were stolen from databases at DSW Shoe Warehouse. Later companies like Time Warner, and Citigroup said they had lost personal information of their users.

Still, few businesses are taking steps to curb the problem, said Mr. Mogull. “Just about 20 percent of enterprises are leading the way with proactive measures to protect their data,” he said. “The rest are using an approach that is more suited to please the regulators.”

Protecting the data
While businesses may be slow to react, security companies have introduced a number of products to tackle data leakage. These include access control that can regulate access to sensitive information, encryption, content monitoring and filtering so that data cannot leak out of the network, and database encryption.

Database encryption, specifically, is a fast growing segment, said Mr. Mogull.

“It makes good business sense for companies to focus on tighter controls around sensitive data, especially in databases,” said Phil Neray, vice president of marketing for Guardium, a database auditing and protection company.

Started in 2002, Waltham, Massachusetts-based Guardium said it has seen strong interest among mid-sized companies that are looking at database encryption as a way to not just protect data but also be compliant with regulations. Other startups in the segment include Tizor and Lumigent.

In a sign that the market has caught the eye of some of the bigger security companies, Symantec said it plans to soon launch a database auditing and protection product. The product is the first to come out the Symantec Research Labs that was set up about 15 months ago (see Symantec Imitates a Startup)

“Symantec recognizes that it is an important space,” said Mr. Neray, “and their entry will raise awareness that this type of technology is important for companies.”