Home » Data Protection » Malware/Cybercrime

Research

The Global State of Information Security 2006

Some things are getting better slowly but security practices are still immature and, in some cases, they're regressing

By Allan Holmes

Page 8

Financial services firms are more likely than enterprises in other industries to use ROI to measure the effectiveness of security investments (29 percent versus an average of 25 percent), and they also are more likely to use potential impact on revenue to justify investments (36 percent versus an average of 27 percent). These arguments work. More financial services companies saw a double-digit increase in their 2006 security budgets than those in any other sector.

Regulation plays a part too. The financial industry must adhere to the most stringent information security laws, and therefore it leads other industries in following proven, strategic information security practices.

Following this line of reasoning about regulatory compliance, one would think that government, health care and education, all highly regulated and entrusted with securing private information, would match the financial sector in instituting strategic security practices. One would, however, think wrongly. According to the survey, government, health care and education, despite their responsibility for protecting the personal information of hundreds of millions of citizens, patients and students, are less likely than finance to follow the best tactical and strategic security practices. The government and health-care sectors, for the most part, lead other sectors in following and instituting information security policies and moving to become more strategic. But the two sectors are well behind financial services. Only 42 percent of government entities report having an overall security strategy, compared with 56 percent in the financial sector.

The education sector is even farther behind in developing, following, and deploying information security practices and tools. Educational organizations find themselves in this position even after highly publicized network break-ins, including those at San Diego State University and most recently at Ohio University, which exposed students' and their families' data, including home addresses, Social Security and credit card numbers, and tax information.

In fact, the education sector suffers more negative security events (viruses and worms, denial-of-service attacks, identity thefts, unauthorized entries and trafficking in illicit data), more network downtime and more downtime that lasts for many days than what the average respondent worldwide experiences.

And the security future doesn't look bright for the educational sector either. A smaller portion of educational security respondents than most other sectors said they plan to hire a C-level security leader, conduct background checks of new hires, start checking if networks are compliant with security policies, conduct or institute employee security awareness programs or install encryption tools, just to name a few. Educational organizations are sticking to more mundane and tactical security fixes: installing firewalls, backing up data and deploying network security tools. It's relatively easy to predict that the education sector's security outcomes will not improve significantly in 2007.