Home » Data Protection » Malware/Cybercrime

Research

The Global State of Information Security 2006

Some things are getting better slowly but security practices are still immature and, in some cases, they're regressing

By Allan Holmes

Page 6

For information security to be most effective, aligning the technological processes with the organization's strategic plan is critical. Companies that make security part of their strategic plan, Lobel says, have fewer breaches, lower financial losses and the fewest network downtimes.

IV. Compliance—Time to Get Tough

As was the case last year, a surprising portion of survey respondents admitted that they're not in compliance with the information security laws and regulations that govern their industries.

That includes high-profile laws that have been on the books for years. More than one-quarter of U.S. security execs who said their organizations need to be compliant with HIPAA, the eight-year-old law that requires health-care organizations to protect patient information, admitted that they are not.

Noncompliance runs broad and deep in all industries, and ignorance of applicable law is a big factor. Nearly one in five U.S. survey respondents said they should be but are not in compliance with California's 2002 security breach law, which requires companies to notify individuals if an unauthorized person obtains access to their private information (such as credit card numbers). But only 22 percent of all U.S. respondents said the law applies to them. However, given that the law applies to any organization that has even one California resident as a customer, student or client—more than one in 10 Americans—a good portion of the 78 percent of enterprises that think the law does not apply to them are likely wrong.

Similarly, it would have been hard over the past four years to miss the requirements of such laws aswww.csoonline.com/article/218577"> Sarbanes-Oxley and Gramm-Leach-Bliley. Still, more than one-third of all U.S. respondents said they are not in compliance with Sarbanes-Oxley even though they should be, and more than one out of seven said they were not compliant with Gramm-Leach-Bliley. That's a slight improvement from last year, but considering the stiff criminal penalties of not complying, many executives seem to be leaving themselves open to lawsuits and possible prison terms and exposing their enterprise to fines.

And this is not simply an American phenomenon. Half of Australian organizations surveyed admitted to not complying with their country's privacy legislation. Almost a third of U.K. respondents said they do not comply with their country's eight-year-old Data Protection Act, and nearly one-third of stereotypically law-abiding Canadian organizations said they do not comply with their nation's privacy act.

At the root of this may be a lack of enforcement. To date, the cost of noncompliance is not as high as the expense of complying—the price of labor, hardware and software. In the absence of penalties, security executives have not been able to mount a business case for compliance. Add to that the fact that despite high-profile security breaches and lost laptops over the past year, the actual damages and ID thefts that can be directly tied to the incidents are small, says Jim Lewis, director of the Technology and Public Policy program at the Center for Strategic & International Studies in Washington, D.C. "People may have a sense that they are not as vulnerable as they used to be," he says, and so not complying with laws is perceived as less risky.