Eight out of 10 companies scored a "grade D" or worse for managing the security of their organisations, compared to basic best practices, a survey of 1,000 security managers from business and government has revealed.
The Human Firewall Council's Security Management Index, which assesses the performance of companies against ISO17799 and similar standards, suggests that most organisations do not have a properly thought-out security strategy.
The majority of organisations surveyed scored less than 50% across categories including access control, personnel security and business continuity.
"If your son or daughter brought home a report card from school with the kind of scores found in the survey you would be appalled," said Steve Kahan, president of the council. "Nearly all categories of security management show significant weaknesses."
Three out of four organisations fail to fully implement security policies, and only one in five review them and keep them up-to-date, the survey, sponsored by InfoSecurity Europe and Computer Weekly, found.
Less than one in five have fully assessed the risks to key systems and, as a result, have no clear idea where they should focus their resources.
"Organisations are simply not implementing security practices to protect their systems development and maintenance activities. As a result, system vulnerabilities continue to exist for most organisations," said Kahan.
Very few firms follow a risk management process, use digital signatures, have a cryptographic key management system or perform source code reviews.
Less than 20% of organisations have incident management procedures or carry out security awareness training. Their staff are unlikely to know how to recognise a security breach or how to react if they find one.
Financial Services companies, computer and software firms, and consultants score highest on the index, while the public sector, manufacturing and retail fare badly.
The index suggests that most companies are taking a "technical fix" approach to security, installing systems to solve specific problems, rather than adopting an overall security strategy.
Have your say and Win an MP3 player
Is your company's security compromised when staff leave? Every year UK businesses lose millions of pounds due to the misappropriation and misallocation of resources and access rights. Employees can leave with long-distance calling cards still active and access to voice mail and ISP services.
We want to hear your most absurd provisioning tales. Contact us via www.infosec.businesslayers.com and you could win a Diamond Multimedia RIO 600 MP3 player and be included in the "101 Most Absurd Provisioning Stories" to be distributed at Infosecurity Europe 2003 in London, 29 April-1 May.