Theft is top information security risk'

[InfoSec News <isn () c4i org>]

http://www.bday.co.za/bday/content/direct/1,3523,1060695-6099-0,00.html

12 April 2002 

MORE than 60% of local companies have seen trade secrets and corporate 
computer equipment disappear in the hands of thieves, with every loss 
costing an average of R180000. [$16,014.38 U.S.D.  - WK]

Theft of information technology equipment and the data it contains is 
more rife in SA than elsewhere, with other countries reporting a far 
lower 38% incidence of theft, according to research by adviser KPMG. 

While the racier world of computer hacking and industrial espionage 
generates most fear and attention, mundane theft inflicts by far the 
most damage, KPMG says in its first global information security 
survey. 

Physical theft remains SA's highest information security risk and the 
estimated cost of each incident is undoubtedly an under estimate. 

The true cost is probably double that sum, once the effect of 
downtime, lost productivity and the need to step up security are 
factored in. Moreover, significant damage to a company's reputation 
can also be suffered, but probably not calculated. 

The extent of unreported or unmeasured security breaches confirm that 
the estimated costs are the tip of an iceberg, says KPMG SA's 
information security services partner, Frank Rizzo. 

Computer viruses and hackers are also running riot, with more than 60% 
of respondents worldwide suffering a significant attack in the past 
year. 

The average attack in SA inflicts damages of R575000, yet most firms 
are over confident to the point of complacency about making their 
systems secure. 

While thieves, viruses and hackers are all inflicting damage, IT 
managers are also under attack from risks created by new technologies. 

The latest threat is "drive-by hacking", where hackers can penetrate 
corporate networks by breaking in through wireless links. 

"Our survey shows 43% of firms are implementing or planning to 
implement a wireless network, but more than a third do not protect 
them, leading to drive-by hacking," Rizzo said. 

More than 50% of local firms let their staff access a corporate 
network using a personal digital assistant or another portable 
computer, but only 16% implement software able to control those 
wireless links. 

KPMG also looked at how much firms spend on IT security. Worldwide, 
the average spent was R28m, or 10% of the overall IT budget. That was 
mirrored in SA, where local firms dedicate 11% of their IT budget to 
security. 

Despite that generous chunk of the budget, many firms are unable to 
tell how well their security systems are performing, since 40% have no 
violation reporting and only 35% measure security performance. 

Even among the 58% of firms which insist they are taking all 
reasonable steps to protect themselves, more than half have no way of 
knowing they are being hacked until it is too late and almost all have 
suffered an external attack in the past year. 

"It is of concern that governance is lacking," Rizzo said. "Fewer than 
50% of organisations have board-level responsibility for information 
security, while 73% of security staff have no formal security 
qualifications." 

The average corporate security policy covers areas where there has 
been most damage in recent years, such as viruses, data protection and 
privacy. Areas still being ignored are those most likely to erupt in 
the future, such as the security of data stored on laptops. 

"In the world of e-business there are no geographical and 
organisational boundaries. If levels of internet protection are not 
applied equally and everywhere, the weakest link will expose all 
others in the chain to attack." 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.