Security Survey Data Points

---

By Bob Violino
Issue date: Oct. 21, 1996

Some of the key findings of the fourth annual InformationWeek / Ernst & Young Information Security Survey:

• Slightly more than one-quarter of the organizations surveyed have no formal business continuity plan. Of those that do have a plan, 42% have never tested it.

• The number of companies that include centralized security administration, records management, external access, personnel security/nondisclosure agreements, and business continuity planning in a corporate security policy decreased from 1995 to 1996.

• Also decreasing were the number of organizations using PC access-control software, secure modems, message authentication codes, single sign-on software, and PC hardware security devices.

• A huge majority of organizations have no information-security orientation program for employees. Nearly two-thirds have no security awareness program that provides periodic updates or reminders to employees.

• Despite the growing use of client-server computing for critical business applications, more than one-third of the organizations don't actively monitor use of their LANs and WANs.

• More than one-third of the respondents said their organizations don't monitor Internet activities.

• About 60% of the organizations have no incident-response plan when an intruder is detected in their network. And 73% have no formal incident-response team.

Says Tom Peltier, manager of computer security at Detroit Edison Co.: "Organizations with teams have trained people who can take care of problems much quicker, and put together statistics that show which software security tools are working and which aren't, and which training programs are working and which aren't."

Return to " The Security Facade "

Comments on this story?

http://www.informationweek.com

---

---