Less than half of UK companies are ready to comply with
information security measures such as thePayment Card Industry's Data Security Standard (PCI
DSS)and theMarkets in Financial Instruments Directive
(Mifid), according to a survey of more than
200 chief information security officers.
The survey, by EMedia for enterprise security supplier
NetIQ, showed that most company boards were "paying lip
service" to IT security despite, in some cases, being personally
liable for damages due to non-compliance.
The least-prepared are medium to large companies, said Ulrich
Weigel, NetIQ's chief security strategist. "They believe the
chances of being caught non-complying are very small," he said.
Very large firms are generally well up on the matter, and most
compliance regulators felt very small firms had less significant
transaction volumes, he said.
Weigel said in Germany the chance of being singled out for a tax
audit was about 2%. "Companies are taking a similar risk management
approach to compliance with PCI and Mifid, and all the other
compliance standards."
The survey, which covered banking, insurance, retail and
manufacturing firms, found that nearly 60% of staff did not
understand the legislation that affected their business. However,
70% still felt that their security policies were closely aligned
with their business objectives and risk areas.
Weigel said they could fix this anomaly using well-thought out
security policies and procedures. "Information security is not an
IT project," he said. "Firms need to start small and design
security into their corporate processes. If they then incentivise
secure behaviour, security will become part of the firm's cultural
DNA."
Does compliance make encryption always necessary? >>
The right medicine for compliance >>
Compliance strategies for SMBs >>