$content.source -- $content.source.name -- $content.altguid

Survey: Four In 10 Companies Don't Enforce Security

Nearly one-quarter of respondents to a recent survey on IT security said their policies were not enforced in an acceptable way

By Greg Meckbach, ComputerWorld Canada

August 01, 2008

Nearly one-quarter of respondents to a recent survey on IT security said their policies were not enforced in an acceptable way.

The survey of 300 organizations, conducted by both Telus Corp. and the University of Toronto's Rotman School of Management, the Rotman-Telus Joint Study on Canadian IT Security Practices, was released Monday.

Of the private companies surveyed, respondents lost an average of C$294,000 (US$287,250) to cyber crime, while the average publicly-traded firm lost $637,000 per year. Government organizations lost an average of $320,000.

The organizations surveyed included companies in IT, finance, manufacturing, military and other government organizations. One-third of respondents were ranked at the director level or higher, 18 percent were systems administrators, 18 percent were security administrators while 26 percent were IT or security managers.

Just 40 percent of government respondents said "IT security strategy is in place and enforced to an acceptable degree" in their organizations, while the figure for both publicly-traded and privately-held companies was 59 percent.

"The people that the public sector tends to attract are not paid as much as the other components of the industry," said Yogen Appalraju, vice-president of security solutions at Burnaby, B.C.-based Telus.

Respondents at 24 percent of the publicly-traded companies said IT security strategy was in place but is "not enforced to an acceptable degree." The figure for privately-held companies was 22 percent.

"Normally we find there's a very clear strategy of what needs to be done but there tends to be a focus on technology and not too much on the people and the process," Appalraju said.

The degree to which security was implemented depended heavily on the governance structures, said Walid Hejazi, co-author of the report and a professor at the Rotman School of Management.

"What we found is that Canadian companies are different than American and foreign companies with respect to accountability and communication in IT security," he said.

According to the report, 60 percent of the respondents said when evaluating their people, they do not link personnel performance objectives to IT security objectives. The others are 39 percent more likely to be "very satisfied" with their overall IT security.

Hejazi said a greater proportion of companies in the U.S. and Europe tie personal performance to IT security.

"That's a very important component to explaining to why some employees are more aggressive about implementing adequately."

The report also asked IT staff about their security technologies and incidents.

All respondents said they use anti-virus and firewalls, and all respondents who spend more than five percent of their IT budget on security use anti-spam. Ninety-eight percent of the others used anti-spam, while 85 percent of those who spend less than five percent of their IT budget on security use network intrusion prevention.

Companies that spend five percent or more of their IT budgets on security tended to get better results than those who spend less than five percent, according to the study.

"For those respondents who spend in excess of five percent of their IT budget on security the amount of web site defacement -- the quantity of incidents came down drastically, almost 60 percent," Appalraju said.

Sixty-two percent of respondents reported malware breaches, 27 reporting phishing attacks and 17 percent reported denial of service attacks.

"When you have those kinds of attacks typically they reach executive management," Appalraju said. "What happens is a lot of due diligence goes on after fact so you have audits that take place you have a lot of remediation that takes place."

RESOURCE CENTER