Security still elusive issue

Major corporations, drawn by the Internet's profit potential, are woefully underprepared to deal with Internet security issues, the coauthor of a new study says.

CNET News staff
3 min read
Major corporations, drawn by the Internet's profit potential, are woefully underprepared to deal with Internet security issues, according to a security analyst who coauthored Datapro's sixth annual computer security issues survey, released today.

"Hacking tools are becoming more prevalent and easier to use," Kathleen E. Harvey, Datapro's senior information security analyst told CNET. "You used to have to be almost a computer nerd to be a hacker, but not anymore. It's much more widespread today than even five years ago."

Today's hackers also aren't just amateurs, she added, noting that both companies and foreign governments are hiring them for industrial espionage. "It's for profit, not for fun."

But as security threats proliferate, corporate security budgets are shrinking. Datapro's survey found that the majority of security practitioners spend less than 5 percent of their IT budgets on security, down from around 15 percent in 1992. Barely half of survey respondents have a security policy in place, a plunge from 82 percent in 1992 to 54 percent in 1996.

"Too many organizations take a reactive rather than proactive approach to security," Harvey said. "We see a continuing trend of organizations that no longer have people dedicated to the information security function, distributing it out to IT management responsible for the whole enterprise system.

"To them, security is of secondary consideration to managing the network," she added. "They don't realize the exposures."

A security risk assessment is the single best measure to take on a tight budgets. Other findings include the following:

--While 68 percent of respondents are concerned about security threats posed by Internet access, just 15 percent now use encryption, a core element of secure electronic commerce, and only 28 percent use firewalls.

--Computer viruses and malicious code are seen as a greater threat outside of North America. In the Asia region, viruses and malicious code are seen as a primary threat by 66 percent of respondents, compared to Latin America (61 percent), Europe (60 percent), the United States (52 percent), and Canada (44 percent). "North America seems to have a smaller incidence of viruses and malicious code than the rest of the world," Harvey said. "I suspect that means a higher percentage is implementing antivirus software."

--Theft of computer equipment is most rampant in Europe, with 52 percent reporting incidents in the prior year. Far fewer incidents were reported in Canada (28 percent), the United States (25 percent), Latin America (23 percent), and Asia (17 percent). "We had thought it was a problem with laptops and mobile professionals, but based on interviews, we found a fairly significant amount is computer parts being stolen out of the office," Harvey said, attributing that trend to growth of the home computer market and workers stealing hardware.

--While information technology executives recognize the importance of implementing a disaster recovery plan, most fail to do so. Of those surveyed by region, only 10 percent (Latin America), 19 percent (Asia), 26 percent (Europe), 43 percent (United States), and 49 percent (Canada) have a disaster recovery plan in place.

Harvey said adoption of new security technologies such as digital signatures, message authentication, and a single-access sign-on across multiple platforms would boost security.

"When we asked people to tell us who was perpetrating security violations, 40 percent said they didn't know," she said, adding that better software for reporting security violations could alleviate that problem. The survey, mailed in April, received 1,342 valid responses from 11,000 questionnaires, a 12 percent response rate.