InformationWeek Global Security Survey 2006: Controlled Chaos - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

04:25 PM

InformationWeek Global Security Survey 2006: Controlled Chaos

On the one hand, IT feels safer than it did a year ago. But on the other, more than half of U.S. respondents acknowledge there are more ways to attack business networks now than ever before.

Attention Getter

The hot-button issue over the past 12 months has been data loss to theft or negligence. When a Veterans Affairs Department laptop and removable hard drive containing 26.5 million personnel records was stolen in May, it underscored the risk to other organizations. "Events drive business decisions," says Alastair MacWillson, global managing partner of Accenture's security group. A year ago, the driver was malware attacks; this year, it's data loss and theft.

Customer data breaches are on the rise. Data is the central commodity for attackers who want to commit fraud or profit from identity theft, and increasingly security pros find their systems in the crosshairs of profit-seeking criminals, not just thrill-seeking troublemakers. In last year's survey, only 6% of U.S. companies reported that customer records had been compromised in some way, and only 5% encountered identity theft. This year, those percentages almost doubled, to 11% and 9%. The problem is worse in China, where 23% of companies said customer data has been compromised and 27% have been involved in some way with identity theft.

Infosec TitheHighly publicized breaches have led to at least 33 state laws created to force businesses to report customer data losses. Congress is mulling several bills aimed at stanching the flow of lost consumer and financial data.

Leo Dittemore, director of IS security administration at HealthCare Partners, took the VA data theft as a wake-up call to push security initiatives at the insurance and health care company. Employees download patient data onto laptops, and Dittemore is sure some staffers take that information home. "I'm all for people doing work on their own time," he says. "But the data has to be protected." It would be difficult for HealthCare Partners to prohibit employees from working with data after office hours, since the company makes money based on the amount of work it does with those files. "It's a pay-for-performance model," Dittemore says.

HealthCare Partners lacks internal rules about when employees can download patient information; Dittemore is writing a policy to govern data use and movement.

"The VA got everyone's attention," agrees Joel Garmon, director of information security for Florida Power & Light, which is reassessing how it stores customer data and who has access to that information. "We're restricting some access and tightening controls."

Technology and training are important to preventing customer data breaches, which also have struck American International Group and Fidelity Investments, among others, this year. Most businesses have policies that outline system and data access for employees, but those rules vary significantly in what they govern, according to our survey. Among U.S. companies, nearly two-thirds of security policies lay out who has access to data and how it can be used. Slightly more than half of policies explain where customer data can and can't be stored. European companies are more likely to formalize rules on who has access to customer data and where it can be stored.

Only 28% of U.S. security policies state that customer data must be encrypted, a shortcoming that has cost organizations that lost data. Enterprise security policies in China and India are much more likely to state that all customer data must be encrypted.

In an attempt to protect customer data, U.S. companies are informing employees about privacy standards (64%), securing Web transactions (52%), and encrypting communications (42%) more than companies in other countries. Nearly half of U.S. companies monitor employees' inbound e-mail and Web site usage, while more than a quarter monitor use of instant messaging and the content of outbound e-mail messages.

Get Out Your Checkbook

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2 of 5
Comment  | 
Print  | 
More Insights
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
Register for InformationWeek Newsletters
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll