Ninety-one Percent of U.S. Companies Perceive the Same or Less Vulnerability Than Last Year Despite Increase in Company Security Priorities and Planned Spending
NEW YORK; July 10, 2006 – Data security breaches continue to vex the majority of business technology professionals from around the globe, even though most do not acknowledge their own vulnerability to malicious attacks, according to results of the 2006 Global Information Security Survey published today by InformationWeek and Accenture, prompting increases in security spending in the coming year.
The survey of more than 2,000 business technology and security professionals from eight countries uncovered ongoing concern about hackers, malicious coders, customer data breaches and identity theft. That concern is underscored by the long list of priorities they’ve identified including raising user awareness (41 percent), enforcing security policies (36 percent), controlling system access (26 percent) and getting more resources (23 percent). However, when asked whether their companies are more vulnerable to attacks and breaches than a year ago, only 11 percent of respondents with U.S. companies, 13 percent of respondents in Europe, 16 percent in China and 25 percent in India thought so. The vast majority think their companies are no more vulnerable than before or about the same, an even higher level of confidence than found in last year’s survey.
In its ninth year, the online survey found an upswing in resources directed toward information security across the board. "As businesses continue to grapple with issues like risk assessment and customer data protection, it is helpful to see they’re getting the support they need from senior corporate management," said Rob Preston, InformationWeek editor in chief. "However, it’s critical that the higher confidence and spending levels don’t let security pros lapse into complacency."
Overall, global highlights and trends include:
- IT professionals in countries other than the U.S. were slightly more cautious in their own vulnerability assessments. Thirteen percent of respondents in Europe, 16 percent in China and 24 percent in India say their organizations are more vulnerable to security dangers than a year ago.
- Spending is expected to grow significantly this year. Fifty-seven percent of respondents in India said they expect to spend more on security technology than last year, as did nearly 50 percent of U.S. respondents, 42 percent of respondents in China and 25 percent of respondents in Europe.
- An increasing number of attacks were reported this past year. Fifty-seven percent of U.S. companies report being hit by viruses over the last year, 34 percent by worms, 18 percent by denial of service attacks, 9 percent by network attacks and 8 percent by identity theft.
- Variations exist among countries when it comes to the challenges they face and how they are addressed. Managing complexity appears to be most daunting for U.S. companies, while user access control is more of an issue in Europe and China. Those in India put security complexity and security policy enforcement front and center.
- Security outsourcing is more prevalent worldwide. Companies in China, the United States and Europe expect to increase their security outsourcing spending in the coming year by 24 percent, 23 percent and 16 percent, respectively.
- Compliance regulations drive security policies and practices. Improvements to infrastructure and application security and document management practices were brought about by Sarbanes-Oxley, the EU Protection Directive and the Bank Secrecy Act.
"We are not surprised by the expectations that security spending will increase significantly this year," said Alastair MacWillson, global managing partner, Accenture security practice. "Many companies are putting a lot of effort and money into meeting regulatory compliance in the belief that such measures will also improve security. While this may be the case in some circumstances, I do not believe it is a cost effective way of addressing security weaknesses in areas that really matter to the company."
"Those companies that do security well, integrate security into everything they do, recognizing that security enables them to do new things, and are able to justify the business value and show a return on their investment in security," MacWillson continued. "Consider, for example, online banking, which is not possible without bulletproof security."
Threat Response and Risk Management
- Companies spend more than 10 percent of their IT budgets on information security, on average, although the amount spent varies by geography. For instance, 30 percent of U.S. respondents said their companies plan on spending more than $100,000 on information security, compared with 15 percent of respondents in India, 10 percent of respondents in Europe and only 5 percent of respondents in China.
- Tactical security priorities for the year include monitoring security compliance, installing and monitoring intrusion detection tools and enhancing data. Telecom security is also a priority for a small percentage of companies, most likely due to Voice over Internet Protocol (VoIP) implications.
Facts about Security Breaches
- The most-reported method of attack is falsified information in e-mail attachments. The highest growth category for this type of attack is the abuse of valid user account/permissions.
- Hackers and malicious coders are still the most likely culprits, followed by an assortment of current and former employees and other authorized users.
- Spam prevention is a worldwide priority due to its impact on productivity. Compromised customer records and identity theft are also on the rise.
- Across the board, the biggest result of security breaches is network or application downtime. In China, half of the companies noted compromised confidentiality and system destruction. Most companies don’t quantify the significant financial costs of the resulting destruction.
Security Responsibility and Safeguards
- Many parts of an organization are responsible for security, with input from internal and external influencers. In the U.S. and China it is primarily the CIO and a crew of IT directors who set security policy; in Europe, the CEO/president is also involved and roughly one-third of all companies have a Chief Information Security Officer (CISO) that reports to the CIO or CEO.
- The president and CEO holds the purse-strings for spending on security technology in nearly half of U.S. and European companies and more than one-third of Chinese and Indian firms.
- Safeguards are now commonly in place for internal protection of customer data through employee education on privacy standards, secure Web transactions and encryption of transmitted communications. The majority of companies now monitor employees in many areas, including e-mail and Web site usage, use of instant messaging and the content of outbound e- mail messages.
Security Vendors and Outsourcing
Business technology executives consider many factors when selecting security products. In the U.S. and India, considerations include the technical product strength, total ownership costs, vendor service/support, pricing and integration. In Europe, product strength and pricing and in China service/support and integration are the most important factors.
A majority of firms are willing to accept "locking in" to a single vendor in exchange for better protection and reduced complexity. U.S. companies cite reducing complexity as the key reason for selecting a single vendor, while respondents in Europe, China and India cited the superior protection offered by integrated solutions as the main reason for doing so.
The Global Information Security Survey, an editorial research product of InformationWeek magazine and Accenture conducted online during May and June 2006, examined responses from 2,193 business technology and security professionals from eight countries.
The U.S. sample for this project was taken from the subscriber base of InformationWeek Magazine and its affiliates. Data for Europe, the U.K., France, Germany, Italy and Spain was provided by Harris Poll’s online panel. Information Week China, Cyber India Online Ltd (CIOL) and Ciao also contributed data for the study.
Accenture is a global management consulting, technology services and outsourcing company. Committed to delivering innovation, Accenture collaborates with its clients to help them become high-performance businesses and governments. With deep industry and business process expertise, broad global resources and a proven track record, Accenture can mobilize the right people, skills and technologies to help clients improve their performance. With more than 133,000 people in 48 countries, the company generated net revenues of US$15.55 billion for the fiscal year ended Aug. 31, 2005. Its home page is www.accenture.com.
InformationWeek sets the agenda for business technology executives, covering the full range of information access points IT decision-makers use today. A trusted, authoritative source and information filter, InformationWeek helps community members understand and focus on what’s important up-to-the-minute – in print, online, through independent research and at live, peer-to-peer events. Through its cross-media platform, InformationWeek delivers content to complement the print publication to its community of business technology leaders when and how they want it, 24/7. The InformationWeek community includes an audience of 2.5 million CIOs, IT executives and business managers who cut across industries, job titles, company sizes and global borders.
InformationWeek is consistently recognized for its commitment to excellence and thought leadership by the IT community, receiving many of the industry’s top media accolades, including several awards from the American Society of Business Publication Editors (ASBPE), top spots in BtoB Magazine’s Media Power 50 and Circulation Excellence Awards from Circulation Management Magazine.
About CMP Technology
CMP Technology is a marketing solutions company serving the technology, healthcare and lifestyles industries. Through its market-leading portfolio of trusted information brands, CMP Technology has earned the confidence of more professionals and enthusiasts in these fields than any other media company. As a result, CMP is the premier provider of access, insight and actionable programs designed to connect sellers and buyers in each of these industries in ways that yield superior return on investment. CMP Technology is a subsidiary of United Business Media (http://www.unitedbusinessmedia.com), a global provider of news distribution and specialist information services with a market capitalization of more than $3 billion.