Data security: WIll the world take action?

Information security is a fundamental business issue, but companies are still complacent.

Investment in information security has not significantly increased, despite the heightened awareness that followed the terrorist outrages in the US last year.

That's the conclusion of the Global Information Security Survey, one of the most comprehensive surveys of security issues ever undertaken.

The survey was carried out by PricewaterhouseCoopers on behalf of vnunet.com's sister magazine Information Week. The European data was supplied in a survey of Computing readers in the UK and other VNU Business Publications titles across Europe.

Some 8,100 IT managers and other professionals with responsibility for security were surveyed in North and South America, Europe and Asia. More than 3,000 respondents were based in Europe, including 700 in the UK. The survey was hosted by Kadence in London.

Information security ranks as a fundamental business concern for all organisations, with 64 per cent citing it as a high priority.

Concern about lost revenue and potential liability, as well as regulatory pressure from governments around the world, keeps money flowing to the information security industry.

The defences used against attack fall into two categories: technical and non-technical. On the technical side, an increasing number of organisations are using encryption to protect networks and data stores. E-commerce systems rely on secure web transaction systems.

Non-technical strategies are focused on policies and practices within organisations. They include clear guidelines on privacy standards and strategies to ensure that employees obey them.

Privacy procedures are often posted online to increase availability, and most organisations conduct privacy policy reviews at least once a year.

Organisations continue to blame external enemies, such as hackers, for most of the security mayhem they face, but attacks are increasingly attributed to individuals closer to home.

Respondents acknowledge unauthorised users inside a company as possible breach suspects, while others maintain that authorised users and employees are to blame for some cyber-crimes.

To control attacks, organisations in North America, Europe, South America and Asia are primarily focusing on security awareness among employees.

Companies in South America and Asia are particularly focused on integrating security policies and procedures. Asia leads in the creation of security committees or task forces, while Europe lags behind.

Countermeasures include defining security responsibility, installing hi-tech access controls, awareness campaigns, and investing in security architecture.

Security incidents are an everyday occurrence and few companies remain unscathed. Those that appear untouched are usually smaller companies that haven't implemented security software such as firewalls, so they may not even be aware even that they have been attacked.

Globally, 66 per cent of the 8,100 sites interviewed reported a security breach or incident of espionage in the past year.

Viruses, worms and Trojan horses continue to be the most common attacks, although they have dropped slightly compared with 2001, with 44 per cent experiencing such attacks. Companies in North America are neither the sole targets nor the most frequent victims.

This is the survey's fifth year. What we have here is only summary information compiled from more than 16 volumes of data, breaking down responses by region, country, type of organisation and even job title. Over the coming months, we will return to analyse some of these areas.

The lessons are clear. IT managers worldwide are encouraging investment in tools and strategies to keep their information secure.

But nobody appears to be panicking and, while security tools vendors will continue to do well, the much talked about boom in information security spending is actually quite muted.