Home » Data Protection » Malware/Cybercrime

Research

The Global State of Information Security 2006

Some things are getting better slowly but security practices are still immature and, in some cases, they're regressing

By Allan Holmes

Page 7

If security is to improve, security laws need more teeth. And that applies to an organization's own rules as well. Survey respondents reported that more than two-thirds of users are compliant with their organization's security policies, a statistic that has remained unchanged over the past three "Global State of Information Security" surveys. One of the most critical factors for reducing network downtime is compliance with an organization's security rules, Lobel points out, but that requirement isn't even in control objectives for information and related technology, or Cobit, the bible for IT governance.

Lobel suggests organizations assign penalties for not complying with their own security policies. But make sure, he adds, that the penalty matches the infraction. "You may not want to terminate someone who puts passwords on yellow sticky notes," Lobel says, "but there have to be some consequences."

V. The Best and Brightest

Last year we highlighted the financial services sector as possessing the best information security practices, and this year that industry once again leads all others in integrating information security with strategic operations.

Companies in the financial services sectorbanks, insurance companies, investment firmsare more likely to employ a CSO than other industries. Security budgets in the financial sector are typically a bigger slice of the IT budget as a whole and increase at a faster rate than in other sectors. That may be because financial services companies are more likely to link security policies and spending to business processes. These companies are proactive, instituting formal information security processes such as log file monitoring and periodic penetration tests. More of their employees follow company security policies. Not surprising, financial services companies also have deployed more information security technology gadgets, such as intrusion detection and encryption tools, and identity management solutions.

It's obvious, therefore, that financial services organizations are far more likely, almost twice as likely in fact, to have an overall strategic security plan in place. Consequently, they reported fewer financial losses, less network downtime and fewer incidents of stolen private information than any other vertical.

The reason for all this is also obvious. The product in the financial services industry is money, and money is the prime target of cybercriminals, including organized crime, insiders and even terrorists. Protecting the money is the industry's most critical concern. The past few years have seen a sharp increase in cybercrime (phishing, identity theft, extortion and spyware, to name a few). Anytime a security executive can demonstrate to top executives that investing in security can protect and increase shareholder value, he will be more likely to convince the boardroom to make that investment and make security a strategic part of the organization.