InformationWeek.com

Welcome Guest. | Log In| Register | Membership Benefits

July 12, 1999

Global Security Survey:
Virus Attack

continued...page 3 of 6

Illustration by Teofilo Olivieri

Related links:

Extra Research From The Security Survey

sidebar: Security Survey Methodology

sidebar: Worldwide Security Priorities
On this point, there's good news. Most companies are doing an effective job of tracing breaches to identify how an attack took place, the survey indicates. Only 13% of respondents were unable to name what kinds of security breaches hit their networks, down from 20% a year ago.

Outsiders are the main cause of security problems, survey respondents say. How do they know that? More companies are using intrusion-detection systems that scan the network for trespassers and alert IT personnel in real time if intruders are discovered. This year, 37% of survey respondents reported using intrusion-detection products, up from 29% last year. And every company that said it uses intrusion-detection systems discovered unwelcome outsiders prowling in their systems.

"That 100% of users were able to catch intrusions with [intrusion-detection system] is a testament that they actually work," says PricewaterhouseCoopers' Lobel. The effectiveness and growing ease of use of intrusion-detection systems has helped fuel their use. "People are looking for less manually intensive and less reactive tools so they can deal with incidents in real time," Lobel adds.

The tools are designed to help IT managers save time, which is important because lack of time was cited as the main barrier to implementing improved security. The time-crunch problem, however, is not as serious as it was last year (see chart, left).

bar chart Of course, security products are useless unless they work in tandem with effective policies. "Technology by itself can't eliminate exposure," American Family Insurance's Shaurette says. "To do that, you need some supporting structures that become the policies."

Survey respondents, however, say that setting security policies to match business goals is difficult and, in many cases, the two aren't in sync. Only 41% say their policies are very much in line with their business objectives. On average, survey respondents rate their alignment of policy and business goals at just 6.5 on a scale of 1 to 10, with 10 being the highest.

That view is reinforced by the fact that only 31% of respondents describe their security policies as highly effective, while 19% say their policies are basically ineffective. Fewer companies are even attempting to measure the effectiveness of their security policies. This year, 27% say their companies are tracking the effectiveness of their security policies, down from 34% last year.

One challenge that security professionals face in establishing policies is striking a balance between being overly cautious on the one hand and lax on the other. "It's easy to straddle that line," says American Family Insurance's Shaurette. "What has to happen is security has to become a function of the corporation, not an obstacle to business."

bar chart And without the involvement of high-level management in making, communicating, and enforcing security policies, there's only a limited chance of success, analysts and IT managers say.

The survey shows that 81% of companies with security policies make an effort to communicate those policies to their employees (see chart, above). American Family Insurance, for example, employs 9,000 staff members plus an additional 10,000 exclusive affiliate agents and support personnel in 14 states. The company says it actively engages in security discussions with its employees and agents.

continued...page 4, 5, 6
return to page 1, 2