- Related Stories
-
Toyota: Some security firms promise too much
September 22, 2004 -
Viruses keep on growing
September 20, 2004 -
The weakest security link? It's you
July 22, 2004
CEOs are increasingly aware of the risks posed to company information by insiders, but they aren't acting on this knowledge, according to the "2004 Ernst & Young Global Information Security Survey." More than 70 percent of the 1,233 organizations surveyed in 51 countries failed to list training and raising employee awareness of information security issues as a top initiative.
Just 20 percent of respondents strongly agreed that their organizations perceive information security as a CEO-level priority. Only one-quarter gave their information security departments the highest ratings in meeting the needs of the organization.
A large part of the problem is that organizations remain focused on external threats such as viruses, while internal threats are consistently underemphasized, the survey found. Executives are quicker to spend money on technology such as firewalls and virus protection than they are to properly prepare their employees.
"Companies face far greater damage from insiders' misconduct, omissions, oversights, or an organizational culture that violates existing standards," Edwin Bennett, global director of Ernst & Young's technology and security risk services, said in a statement Thursday. "Because many insider incidents are based on concealment, organizations often are unaware they're being victimized. Too many organizations feel that information security has no value when there is no visible attack."
Threats can also come inadvertently from business allies. Fewer than one-third of the companies surveyed conduct a regular assessment of their IT providers to monitor compliance with information security policies.
The dangers can be reduced by creating a security-conscious culture that starts with executives setting the right tone at the top of the organization, Ernst & Young said. Organizations also have to demand higher levels of security from their business partners.
The companies surveyed have their annual revenue ranging from less than $100 million to more than $10 billion and operate in areas ranging from finance to retail to government services.
If I had a dime for everytime I saw one of my peers gaining enterance to the office without their ID card or the executive suite just tossing out documents into the trash bin w/o shredding them, I know no amount of technology will help my company.
We've all been in the presentations - "silver bullet" stuff - that promises to protect us from the outside. Goodness ... we budget for the stuff and then we have Bob in payroll cracking open an e-mail from his college roommate only to find that the enticing attachment with some Russian tennis star is really not her.
I also agree culture can't be changed easily but I know they don't sell a technology solution for it.
Otherwise, I suspect if companies had to report on insider security incidents (confidentiality breaches) like airlines are required to report near misses - we'd have more attention paid to the insider issue. Until then, we still have to read the anti-virus software makers telling us that we lost $55 billion to some silly named worm.
Does anyone know of any virus attack that has ever resulted in a death or a Fortune 1000 business going under?
I can't but we do know what happens when the insiders' strike.