News

Firms are baffled by security

Bill Goodwin
As the technology becomes more complex, businesses increasingly lack the expertise to act as intelligent buyers of information security, a study for the Department of Trade & Industry has concluded.

Project procurement requests often include poorly defined security requirements, exposing firms to potential risks once systems go online, the study into information security consultants revealed.

"Unsophisticated buyers, unwilling to accept the cost and complexity of a properly secure solution for which they do not understand the need, often accept a simple, cheap alternative without realising the risk implications," the report said.

Feedback from service providers suggests that many businesses do not consider security when they outsource their IT, and some regard security as an unnecessary expense. As a result, businesses may be offered solutions from inexperienced IT service companies. Although they undercut more experienced suppliers, they fail to provide adequate security.

Although firms see no need for government regulation of IT security consultants, some expressed concerns about "cowboy" suppliers offering penetration testing services. Many felt that suppliers offering "noddy" services using common open source tools to identify product vulnerabilities, rather than doing a test specific to the target systems, give users a false sense of security.

The study found that most organisations buy security services from companies recommended to them or from known, trusted suppliers. But few organisations look at the qualifications of the consultants they hire - an issue which may need to be addressed by re-assessing the scope of professional security qualifications.

More needs to be done to educate small businesses and non-IT professionals about data security, the report said.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy