IT Security: The Data Theft Time Bomb

While viruses and worms remain the most pesky security problems, data theft concerns simmer beneath the surface, according to InformationWeek's 10th annual Global Information Security survey.
Some companies prefer the Big Brother approach. Of the U.S. respondents who say their companies monitor employee activities, 51% monitor e-mail use, 40% monitor Web use, and 35% monitor phone use, roughly consistent with last year's findings. However, other sources of data leakage are given less attention: Only 29% monitor instant messaging use, 22% the opening of e-mail attachments, and 20% the contents of outbound e-mail messages. And only a handful keep a close eye on the use of portable storage devices.

Still, 42% of respondents say data leakage is bad enough that employees should be fined or punished in some way for their role in security breaches, once those employees have been trained. Consultant MacLean takes an even tougher tack: "Termination is pretty severe, but in some cases it's appropriate, as is civil or even criminal prosecution."

chart: What It's Worth: How does your company measure the value of your security investments?
A significant number of respondents want to put the responsibility for porous security on the companies selling them security technology. Forty-five percent of U.S. companies and 47% of companies in China think security vendors should be held legally and financially liable for security vulnerabilities in their products and services.

Some of the unease about corporate IT security may stem from the fact that most companies don't have a centralized security executive assessing risks and threats and then calling the shots to address these concerns. The process for setting security policy in most companies is collaborative, and groups comprising the CIO, CEO, IT management, and security management all have input. Eisenhower Medical Center doesn't have a chief information security officer, instead relying on its general counsel to make regulatory compliance decisions, and on CIO Perez, working with system administrators, to set security policy. "We gather information from each director in each department to find out what systems and data they need access to," Perez says. "It's an interesting back and forth. The doctors want easy access, and we're trying to make it more secure."

The number of chief information security officers has grown significantly in the last year. Roughly three-quarters of survey respondents say their companies have CISOs, compared with 39% in 2006. CISOs predominantly report to the CEO or the CIO.

When it comes to the ultimate sign-off, however, half of U.S. companies say that the CEO determines security spending. In the United States, the greatest percentage of respondents, 37%, say their companies assess risks and threats without the input of a CISO, while an astounding 22% say they don't regularly assess security risks and threats at all.

In the United States, the portion of IT budgets devoted to security remains pretty flat; companies plan to spend an average of 12% this year, compared with 13% last year. China, on the other hand, is on a security spending spree: The average percentage of IT budget devoted to security this year is 19%, compared with 16% in 2006. It's interesting to note that 39% of U.S. companies and 55% in China expect 2007 security spending levels to surpass those in 2006.

If it all sounds overwhelming, don't panic. While information security has gotten more complex--as attackers alter both their methods and their targets, and companies layer more and more security products on top of each other--the good news is that the measures required to plug most security holes often come down to common sense, an increasingly important quality to look for in any employee or manager handling sensitive data.

Illustration ©2007 Brian Stauffer c/o

Continue to the sidebar:
China's Evolutionary Leap

View charts:
IT Security: Still A Daunting Task

Buy the report:
2007 InformationWeek/Accenture Global Information Security Survey