For the risk assessment report, KPMG interviewed 500 executives in August and discovered that although 85 percent felt they gave enough attention to protecting their information, nearly four out of 10 thought their company could suffer a serious breach of security.
The majority believes that the fix is to buy the right technology, but that's plain wrong, Stuart Campbell, partner for KPMG's Risk and Advisory Services practice, said in a statement.
"Until more executives regard information security as a strategic business issue, organizations will remain vulnerable," he said. "This issue doesn't begin and end with technology solutions and technology departments."
Rather than buy new software and systems, companies should be looking toward education, training and policy initiatives. Almost 90 percent of the executives said they had an ongoing program of such training, but only 11 percent said that nonmanagement employees were informed about security policy.
"Companies need to move aggressively in educating and informing employees," said Campbell. "A security environment aimed primarily at preventing outside intrusions is destined for failure."
Making the problem worse, companies seem to be focusing on the wrong risks. The report found that a third of executives considered hackers attacking from the Internet to be the greatest threat, but the reality, it said, is that almost 80 percent of attacks originate from inside a company's network.
Another study may complicate that finding, however.
Last March, the 2001 Computer Crime and Security Survey found that although attacks by online vandals didn't account for major dollar losses, the Internet has become a major source of attacks for most organizations. Companies that found themselves the victim of attacks via the Internet increased to 70 percent in 2001, but the number of companies experiencing insider attacks fell to 31 percent.
Still, some results of the KPMG study indicated that companies were improving information security.
Nearly eight out of 10 multinational corporations had developed a catastrophic response plan, and almost six out of 10 had hired full-time security specialists.