| 2006 Global Information Security Survey results
The survey of more than 2,000 business technology and security professionals from eight countries uncovered ongoing concern about hackers, malicious coders, customer data breaches and identity theft. That concern is underscored by the long list of priorities they've identified including raising user awareness (41 percent), enforcing security policies (36 percent), controlling system access (26 percent) and getting more resources (23 percent). However, when asked whether their companies are more vulnerable to attacks and breaches than a year ago, only 11 percent of respondents with US companies, 13 percent of respondents in Europe, 16 percent in China and 25 percent in India thought so. The vast majority think their companies are no more vulnerable than before or about the same, an even higher level of confidence than found in last year's survey. In its ninth year, the online survey found an upswing in resources directed toward information security across the board. "As businesses continue to grapple with issues like risk assessment and customer data protection, it is helpful to see they're getting the support they need from senior corporate management," said Rob Preston, InformationWeek editor in chief. "However, it's critical that the higher confidence and spending levels don't let security pros lapse into complacency." Overall, global highlights and trends include: * IT professionals in countries other than the US were slightly more cautious in their own vulnerability assessments. Thirteen percent of respondents in Europe, 16 percent in China and 24 percent in India say their organizations are more vulnerable to security dangers than a year ago. * Spending is expected to grow significantly this year. Fifty-seven percent of respondents in India said they expect to spend more on security technology than last year, as did nearly 50 percent of US respondents, 42 percent of respondents in China and 25 percent of respondents in Europe. * An increasing number of attacks were reported this past year. 57 percent of US companies report being hit by viruses over the last year, 34 percent by worms, 18 percent by denial of service attacks, 9 percent by network attacks and 8 percent by identity theft. * Variations exist among countries when it comes to the challenges they face and how they are addressed. Managing complexity appears to be most daunting for US companies, while user access control is more of an issue in Europe and China. Those in India put security complexity and security policy enforcement top of the list. * Security outsourcing is more prevalent worldwide. Companies in China, the United States and Europe expect to increase their security outsourcing spending in the coming year by 24 percent, 23 percent and 16 percent, respectively. * Compliance regulations drive security policies and practices. Improvements to infrastructure and application security and document management practices were brought about by Sarbanes-Oxley, the EU Protection Directive and the Bank Secrecy Act. "We are not surprised by the expectations that security spending will increase significantly this year," said Alastair MacWillson, global managing partner, Accenture security practice. "Many companies are putting a lot of effort and money into meeting regulatory compliance in the belief that such measures will also improve security. While this may be the case in some circumstances, I do not believe it is a cost effective way of addressing security weaknesses in areas that really matter to the company." "Those companies that do security well, integrate security into everything they do, recognizing that security enables them to do new things, and are able to justify the business value and show a return on their investment in security," MacWillson continued. "Consider, for example, online banking, which is not possible without bulletproof security." Threat response and risk management * Companies spend more than 10 percent of their IT budgets on information security, on average, although the amount spent varies by geography. For instance, 30 percent of US respondents said their companies plan on spending more than $100,000 on information security, compared with 15 percent of respondents in India, 10 percent of respondents in Europe and only 5 percent of respondents in China. * Tactical security priorities for the year include monitoring security compliance, installing and monitoring intrusion detection tools and enhancing data. Telecoms security is also a priority for a small percentage of companies, most likely due to Voice over Internet Protocol (VoIP) implications. Facts about security breaches * The most-reported method of attack is falsified information in e-mail attachments. The highest growth category for this type of attack is the abuse of valid user account/permissions. * Hackers and malicious coders are still the most likely culprits, followed by an assortment of current and former employees and other authorized users. * Spam prevention is a worldwide priority due to its impact on productivity. Compromised customer records and identity theft are also on the rise. * Across the board, the biggest impact of security breaches is network or application downtime. In China, half of the companies noted compromised confidentiality and system destruction. Most companies don't quantify the significant financial costs of the resulting destruction. Security responsibility and safeguards * Many parts of an organization are responsible for security, with input from internal and external influencers. In the US and China it is primarily the CIO and a crew of IT directors who set security policy; in Europe, the CEO/president is also involved and roughly one-third of all companies have a chief information security officer (CISO) that reports to the CIO or CEO. * The president and CEO holds the purse-strings for spending on security technology in nearly half of US and European companies and more than one-third of Chinese and Indian firms. * Safeguards are now commonly in place for internal protection of customer data through employee education on privacy standards, secure Web transactions and encryption of transmitted communications. The majority of companies now monitor employees in many areas, including e-mail and website usage, use of instant messaging and the content of outbound e-mail messages. Security vendors and outsourcing Business technology executives consider many factors when selecting security products. In the US and India, considerations include the technical product strength, total ownership costs, vendor service/support, pricing and integration. In Europe, product strength and pricing and in China service/support and integration are the most important factors. A majority of firms are willing to accept "locking in" to a single vendor in exchange for better protection and reduced complexity. US companies cite reducing complexity as the key reason for selecting a single vendor, while respondents in Europe, China and India cited the superior protection offered by integrated solutions as the main reason for doing so.
•Date: 13th July 2006• Region: Various •Type: Article •Topic: ISM |
