Concern over Compliance, Instant Messaging and Internal Attacks is Spurring Changes
NEW YORK; Aug. 29, 2005 – Regulatory compliance, internal attacks, and the vulnerability of electronic communications – especially instant messaging and e-mail – are among the key factors reshaping data security systems, according to the U.S. results of the 8th annual Global Information Security Survey by InformationWeek Magazine and Accenture.
At the same time, the U.S. Information Security Survey uncovered indications that companies and organizations are failing to provide rigorous protection of customer and client data. The survey, which was conducted over the Web this summer, received responses from more than 2,500 U.S. information technology and security professionals.
Highlights:
- Compliance is reshaping corporate security practices.
- Security attacks are becoming increasingly more sophisticated, yet basic passwords continue to be the most common line of defense.
- Security breaches are increasingly coming from within, forcing companies to keep tabs on their employees.
- Vulnerabilities in operating systems and applications – including the use of instant messaging – continue to be common points of entry.
- Concern continues to grow over privacy and identity theft, yet organizations are failing to provide rigorous protection of customer data.
“Companies are taking a more structured approach to information security and making it more of a priority,” said Alastair MacWillson, partner in charge of Accenture’s security practice. “Many companies are beginning to see the benefits in leveraging new technologies to proactively assess and manage threats and vulnerabilities, and are consolidating, integrating and securing applications to improve integrity and productivity.”
Regulatory Impact
There are indications that compliance requirements like Sarbanes-Oxley, HIPAA, the U.S. Home Security Act and the U.S. Patriot Act are reshaping corporate security practices. According to the survey:
- 60 percent view regulatory compliance as more of a governance issue than a technology problem.
- Over half of the survey respondents report that government regulations have pressured their company to adopt a more structured approach to information security.
- About two in five say the threat of government penalties has made achieving regulatory compliance an information security priority.
- While only a third say achieving compliance is a main catalyst of security-related purchases, over half say it has made their company more cautious about their use of security hardware, applications and services.
Threat Perception and Attacks
Security attacks are constantly evolving, making it difficult for companies to stay one step ahead.
For example:
- Malicious intent is a concern for 45 percent of respondents. Yet few tie their firm’s vulnerability to the lack of a well-defined information security strategy or managerial involvement in security practices and policies.
- One third of respondents blame budget constraints for their firm’s susceptibility to security breaches.
- Significant damages attributed to actual attacks – financial losses, security incursions and identity theft – are uncommon.
- Planted spyware code, however, has caused slowdowns in network performance and employee productivity in three quarters of the companies.
- Viruses affected two-thirds of surveyed sites last year.
- E-mail is proving to be the launching point of assaults, with falsified information in an e-mail attachment reported as the primary method of attack at 35 percent of surveyed sites.
- Minor financial losses were confirmed at one in five sites.
Security Tactics
As a result of the vulnerabilities with instant messaging and E-mail, electronic communication has become a major focus of employee monitoring with attachments and content of outbound messages carefully scrutinized. Basic-user passwords still remain the most prevalent method used by companies to protect themselves against security breaches. Informing employees of privacy or behavior standards, posting privacy policies online and using secure Web transactions are the steps taken to safeguard the privacy of customer data. In addition, the survey reveals that:
- Only a quarter of respondents report no monitoring of workers.
- The monitoring of instant messaging has jumped from 25 percent to 34 percent since last year’s survey.
- Only 15 percent of sites have created the position of chief privacy officer and less than 30 percent have conducted privacy policy audits to ensure there are adequate guidelines. In fact, practices concerning the security of customer data are categorized as only fairly rigorous at half of the sites.
Security Costs
A majority of U.S. companies spend below $500,000 on security expenses, with half anticipating increased spending in 2005 over the previous year, and only 3 percent expecting spending to decline. Performance and return on investment count the most when purchasing security products.
“Despite the fact that information security professionals are adopting many state-of-the-art security practices, certain lapses still exist that can result in serious financial losses for corporations or a violation of customer trust,” said Rusty Weston editor, InformationWeek Research. "Security professionals lack the ability to control every point of entry, but worse, they have too much faith in technology that claims to automate network defenses.”
About the Survey
The 2005 Global Information Security Survey is an editorial research product of InformationWeek magazine and Accenture. The study was fielded entirely on the Web during the month of July and early August 2005. This is the eighth year InformationWeek Research has conducted its Global Information Security Study. This report examines the responses of the 2,540 U.S. business-technology and security professionals that participated in the 2005 study. The U.S. sample was supplied from the subscriber base of InformationWeek and the publication’s affiliates - Optimize, Wall Street & Technology, Bank Systems & Technology, Insurance Systems & Technology, Software Development, Dr. Dobbs, Network Computing, Network Magazine, TechWeb and Secure Enterprise.
About Accenture
Accenture is a global management consulting, technology services and outsourcing company. Committed to delivering innovation, Accenture collaborates with its clients to help them become high-performance businesses and governments. With deep industry and business process expertise, broad global resources and a proven track record, Accenture can mobilize the right people, skills and technologies to help clients improve their performance. With more than 115,000 people in 48 countries, the company generated net revenues of US$13.67 billion for the fiscal year ended Aug. 31, 2004. Its home page is www.accenture.com.
About InformationWeek
InformationWeek helps more than 440,000 Business Technology Professionals who buy, build and manage technology drive business innovation powered by technology. In addition to the weekly magazine, InformationWeek provides a platform of information solutions including www.InformationWeek.com, InformationWeek Research, InformationWeek Events, which includes the InformationWeek Conference for Business Technology Executives and the InformationWeek Daily, an e-mail news service. In May 2003 in conjunction with Optimize, InformationWeek launched its Media Network. The Media Network consists of Optimize and Government Enterprise, as well as its Vertical Industry Network publications – Bank Systems & Technology, Insurance & Technology and Wall Street & Technology. InformationWeek is consistently recognized for its commitment to excellence and innovation, receiving several of the industry’s top media accolades including top spots in BtoB Magazine’s annual Media Power 50, as well as awards from ASBPE and Circulation Management magazine.
About CMP Media LLC
CMP Media (www.cmp.com) is the leading integrated media solutions company providing “broad and deep” access to the entire technology spectrum — the builders, sellers and buyers of technology worldwide. The company’s comprehensive database of technology decision makers enables marketers to reach targeted audiences throughout the purchase process with publications, web offerings, face-to-face events, consulting and other marketing services that deliver actionable results.