Report: Business fails on global security

[InfoSec News <isn () c4i org>]

http://www.zdnet.com/zdnn/stories/news/0,4586,5099609,00.html?chkpt=zdhpnews01

By Robert Lemos
Special to ZDNet News 
November 14, 2001 8:20 AM PT
 
Multinational corporations are still far off from securing their
networks and seem to be focusing on the wrong threats, according to a
report expected from Big Five accounting firm KPMG this week.

For the risk assessment report, KPMG interviewed 500 executives in
August and discovered that although 85 percent felt they gave enough
attention to protecting their information, nearly four out of 10
thought their company could suffer a serious breach of security.

The majority believes that the fix is to buy the right technology, but
that's plain wrong, Stuart Campbell, partner for KPMG's Risk and
Advisory Services practice, said in a statement.

"Until more executives regard information security as a strategic
business issue, organizations will remain vulnerable," he said. "This
issue doesn't begin and end with technology solutions and technology
departments."

Rather than buy new software and systems, companies should be looking
toward education, training and policy initiatives. Almost 90 percent
of the executives said they had an ongoing program of such training,
but only 11 percent said that nonmanagement employees were informed
about security policy.

"Companies need to move aggressively in educating and informing
employees," said Campbell. "A security environment aimed primarily at
preventing outside intrusions is destined for failure."

Making the problem worse, companies seem to be focusing on the wrong
risks. The report found that a third of executives considered hackers
attacking from the Internet to be the greatest threat, but the
reality, it said, is that almost 80 percent of attacks originate from
inside a company's network.

Another study may complicate that finding, however.

Last March, the 2001 Computer Crime and Security Survey found that
although attacks by online vandals didn't account for major dollar
losses, the Internet has become a major source of attacks for most
organizations. Companies that found themselves the victim of attacks
via the Internet increased to 70 percent in 2001, but the number of
companies experiencing insider attacks fell to 31 percent.

Still, some results of the KPMG study indicated that companies were
improving information security.

Nearly eight out of 10 multinational corporations had developed a
catastrophic response plan, and almost six out of 10 had hired
full-time security specialists.

 

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.