Information security: Technology is not enough
The Global State of Information Security Study by PricewaterhouseCoopers, Chief Information Officer (CSO) and Chief Security Officer magazine (CSO) magazines finds e-mail and abused valid user accounts and permissions as the primary methods for...
The Global State of Information Security Study by PricewaterhouseCoopers, Chief Information Officer (CSO) and Chief Security Officer magazine (CSO) magazines finds e-mail and abused valid user accounts and permissions as the primary methods for security attacks, yet only half of respondents employ routine people-related information security safeguards.
Organisations worldwide are investing in infrastructure but lagging in implementation, measurement and review of security and privacy policies according to the 5th annual Global State of Information Security Survey 2007. This is a worldwide study by CIO magazine, CSO magazine and PricewaterhouseCoopers.
The study, which is the largest of its kind, represents responses from 7,200 IT, security and business executives in more than 119 countries across all industries.
Indeed, for the first time, employees took over the number one spot as the most likely source of an information security event. The majority (69 per cent) of respondents cite employees and former employees as the likeliest source of attacks, surpassing hackers at 41 per cent.
E-mail and abused valid user accounts and permissions are reported as the primary methods for such attacks yet, only about half (52 per cent) of respondents employ routine people-related information security safeguards.
Results show that IT is taking budgetary control this year, with the majority of information security budgets now coming directly from the IT department. Additionally, data breaches are driving privacy concerns, but encryption of data at rest remains a low priority, despite it being the source of many data leakage issues.
According to the survey, the majority of organisations heavily invested in technology safeguards such as network firewalls (88 per cent), data backup (82 per cent), user passwords (80 per cent), and spyware (80 per cent). However, the investment of time in practical measures remains low. For example, 63 per cent of respondents state they do not audit or monitor user compliance with security policies, and 48 per cent measured and reviewed the effectiveness of security policies and procedures in the last year.
"Clearly, there is a greater awareness of the threats, as well as the tools and safeguards available to offset threats and protect against attack. But sound infrastructure is only half of the solution," says Mark Lobel, a principal in the advisory practice of PricewaterhouseCoopers.
"Security leaders and practitioners need to create and enforce internal policies in order to help ensure appropriate use and protection of corporate information systems. Uncertainty about the business value of security investments will continue to be high as long as companies fail to monitor user-compliance or measure the impact of information security safeguards." According to the survey, only 30 per cent of respondents report their organisation's information security policies are completely aligned to business objectives, and even less, 22 per cent, believe security-spending is completely aligned.
Other survey results show privacy continues to be high-profile but not necessarily high priority for security executives. Encryption of data at best remains a low priority even though it is the source of many data leakage issues. Less than half of respondents report encrypting data residing on databases and laptops (50 per cent and 42 per cent respectively). With a lack of safeguards and basic policies around appropriate internet and e-mail use, organisations become much more vulnerable to 'accidental' internal threats.
Certainly, not all of these threats are malicious or even intentional, PricewaterhouseCoopers said.
In-depth survey results are covered in the September 15th issue of CIO magazine and the October issue of CSO magazine.
The coverage is also available online at www.cio.com and www.csoonline.com. Information about the survey is available at www.pwc.com/security.
Organisations worldwide are investing in infrastructure but lagging in implementation, measurement and review of security and privacy policies according to the 5th annual Global State of Information Security Survey 2007. This is a worldwide study by CIO magazine, CSO magazine and PricewaterhouseCoopers.
The study, which is the largest of its kind, represents responses from 7,200 IT, security and business executives in more than 119 countries across all industries.
Indeed, for the first time, employees took over the number one spot as the most likely source of an information security event. The majority (69 per cent) of respondents cite employees and former employees as the likeliest source of attacks, surpassing hackers at 41 per cent.
E-mail and abused valid user accounts and permissions are reported as the primary methods for such attacks yet, only about half (52 per cent) of respondents employ routine people-related information security safeguards.
Results show that IT is taking budgetary control this year, with the majority of information security budgets now coming directly from the IT department. Additionally, data breaches are driving privacy concerns, but encryption of data at rest remains a low priority, despite it being the source of many data leakage issues.
According to the survey, the majority of organisations heavily invested in technology safeguards such as network firewalls (88 per cent), data backup (82 per cent), user passwords (80 per cent), and spyware (80 per cent). However, the investment of time in practical measures remains low. For example, 63 per cent of respondents state they do not audit or monitor user compliance with security policies, and 48 per cent measured and reviewed the effectiveness of security policies and procedures in the last year.
"Clearly, there is a greater awareness of the threats, as well as the tools and safeguards available to offset threats and protect against attack. But sound infrastructure is only half of the solution," says Mark Lobel, a principal in the advisory practice of PricewaterhouseCoopers.
"Security leaders and practitioners need to create and enforce internal policies in order to help ensure appropriate use and protection of corporate information systems. Uncertainty about the business value of security investments will continue to be high as long as companies fail to monitor user-compliance or measure the impact of information security safeguards." According to the survey, only 30 per cent of respondents report their organisation's information security policies are completely aligned to business objectives, and even less, 22 per cent, believe security-spending is completely aligned.
Other survey results show privacy continues to be high-profile but not necessarily high priority for security executives. Encryption of data at best remains a low priority even though it is the source of many data leakage issues. Less than half of respondents report encrypting data residing on databases and laptops (50 per cent and 42 per cent respectively). With a lack of safeguards and basic policies around appropriate internet and e-mail use, organisations become much more vulnerable to 'accidental' internal threats.
Certainly, not all of these threats are malicious or even intentional, PricewaterhouseCoopers said.
In-depth survey results are covered in the September 15th issue of CIO magazine and the October issue of CSO magazine.
The coverage is also available online at www.cio.com and www.csoonline.com. Information about the survey is available at www.pwc.com/security.