Corporate information systems remain vulnerable to cyber attacks,
despite the increased security focus following last year's 11
September terror attacks.
Separate surveys from Computer Sciences Corporation and venture
capitalists 3i highlight how far many organisations are from
instituting basic best practice procedures.
The CSC survey, of more than 1,000 IT executives worldwide, found
46% did not have a formal information security policy in place and
59% lacked a formal compliance program.
A shocking 68% admitted they did not regularly conduct security
risk analyses or security status tracking.
"While most IS professionals recognise the benefits of protecting
and securing data, the business leadership in the organisation
still sees security as a 'nice to have' rather than a 'need to
have'," said Ron Knode, CSC's global director, managed security
services. "It's not until something goes wrong that perceptions
change. The fact is, it costs far less to establish the right
security measures at the outset than it does to recover from a
breach in security."
Knode added: "There has been significant media attention focused on
the risks of cyber terrorism. While cyber terrorism is a very real
concern, disgruntled employees or hackers also pose a risk to an
organisation's data and intellectual property."
Allan Carey, senior analyst at market researcher IDC, echoed this.
"With the majority of attacks it tends to be the insider who is the
larger threat," he said in a comment on 3i's
E-security - 2002
and beyond white paper.
The survey, carried out with the Economist Intelligence Unit,
warned that 80% of firewalls were incorrectly installed and claimed
that the telecoms industry was the least alert of any business
sector to the importance of e-security.