[ISN] Theft is top information security risk'

From: InfoSec News (isnat_private)
Date: Fri Apr 12 2002 - 01:07:29 PDT

  • Next message: InfoSec News: "[ISN] Voice mail systems have few safeguards"

    http://www.bday.co.za/bday/content/direct/1,3523,1060695-6099-0,00.html
    
    12 April 2002 
    
    MORE than 60% of local companies have seen trade secrets and corporate 
    computer equipment disappear in the hands of thieves, with every loss 
    costing an average of R180000. [$16,014.38 U.S.D.  - WK]
    
    Theft of information technology equipment and the data it contains is 
    more rife in SA than elsewhere, with other countries reporting a far 
    lower 38% incidence of theft, according to research by adviser KPMG. 
    
    While the racier world of computer hacking and industrial espionage 
    generates most fear and attention, mundane theft inflicts by far the 
    most damage, KPMG says in its first global information security 
    survey. 
    
    Physical theft remains SA's highest information security risk and the 
    estimated cost of each incident is undoubtedly an under estimate. 
    
    The true cost is probably double that sum, once the effect of 
    downtime, lost productivity and the need to step up security are 
    factored in. Moreover, significant damage to a company's reputation 
    can also be suffered, but probably not calculated. 
    
    The extent of unreported or unmeasured security breaches confirm that 
    the estimated costs are the tip of an iceberg, says KPMG SA's 
    information security services partner, Frank Rizzo. 
    
    Computer viruses and hackers are also running riot, with more than 60% 
    of respondents worldwide suffering a significant attack in the past 
    year. 
    
    The average attack in SA inflicts damages of R575000, yet most firms 
    are over confident to the point of complacency about making their 
    systems secure. 
    
    While thieves, viruses and hackers are all inflicting damage, IT 
    managers are also under attack from risks created by new technologies. 
    
    The latest threat is "drive-by hacking", where hackers can penetrate 
    corporate networks by breaking in through wireless links. 
    
    "Our survey shows 43% of firms are implementing or planning to 
    implement a wireless network, but more than a third do not protect 
    them, leading to drive-by hacking," Rizzo said. 
    
    More than 50% of local firms let their staff access a corporate 
    network using a personal digital assistant or another portable 
    computer, but only 16% implement software able to control those 
    wireless links. 
    
    KPMG also looked at how much firms spend on IT security. Worldwide, 
    the average spent was R28m, or 10% of the overall IT budget. That was 
    mirrored in SA, where local firms dedicate 11% of their IT budget to 
    security. 
    
    Despite that generous chunk of the budget, many firms are unable to 
    tell how well their security systems are performing, since 40% have no 
    violation reporting and only 35% measure security performance. 
    
    Even among the 58% of firms which insist they are taking all 
    reasonable steps to protect themselves, more than half have no way of 
    knowing they are being hacked until it is too late and almost all have 
    suffered an external attack in the past year. 
    
    "It is of concern that governance is lacking," Rizzo said. "Fewer than 
    50% of organisations have board-level responsibility for information 
    security, while 73% of security staff have no formal security 
    qualifications." 
    
    The average corporate security policy covers areas where there has 
    been most damage in recent years, such as viruses, data protection and 
    privacy. Areas still being ignored are those most likely to erupt in 
    the future, such as the security of data stored on laptops. 
    
    "In the world of e-business there are no geographical and 
    organisational boundaries. If levels of internet protection are not 
    applied equally and everywhere, the weakest link will expose all 
    others in the chain to attack." 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Apr 12 2002 - 03:24:38 PDT