http://www.bday.co.za/bday/content/direct/1,3523,1060695-6099-0,00.html 12 April 2002 MORE than 60% of local companies have seen trade secrets and corporate computer equipment disappear in the hands of thieves, with every loss costing an average of R180000. [$16,014.38 U.S.D. - WK] Theft of information technology equipment and the data it contains is more rife in SA than elsewhere, with other countries reporting a far lower 38% incidence of theft, according to research by adviser KPMG. While the racier world of computer hacking and industrial espionage generates most fear and attention, mundane theft inflicts by far the most damage, KPMG says in its first global information security survey. Physical theft remains SA's highest information security risk and the estimated cost of each incident is undoubtedly an under estimate. The true cost is probably double that sum, once the effect of downtime, lost productivity and the need to step up security are factored in. Moreover, significant damage to a company's reputation can also be suffered, but probably not calculated. The extent of unreported or unmeasured security breaches confirm that the estimated costs are the tip of an iceberg, says KPMG SA's information security services partner, Frank Rizzo. Computer viruses and hackers are also running riot, with more than 60% of respondents worldwide suffering a significant attack in the past year. The average attack in SA inflicts damages of R575000, yet most firms are over confident to the point of complacency about making their systems secure. While thieves, viruses and hackers are all inflicting damage, IT managers are also under attack from risks created by new technologies. The latest threat is "drive-by hacking", where hackers can penetrate corporate networks by breaking in through wireless links. "Our survey shows 43% of firms are implementing or planning to implement a wireless network, but more than a third do not protect them, leading to drive-by hacking," Rizzo said. More than 50% of local firms let their staff access a corporate network using a personal digital assistant or another portable computer, but only 16% implement software able to control those wireless links. KPMG also looked at how much firms spend on IT security. Worldwide, the average spent was R28m, or 10% of the overall IT budget. That was mirrored in SA, where local firms dedicate 11% of their IT budget to security. Despite that generous chunk of the budget, many firms are unable to tell how well their security systems are performing, since 40% have no violation reporting and only 35% measure security performance. Even among the 58% of firms which insist they are taking all reasonable steps to protect themselves, more than half have no way of knowing they are being hacked until it is too late and almost all have suffered an external attack in the past year. "It is of concern that governance is lacking," Rizzo said. "Fewer than 50% of organisations have board-level responsibility for information security, while 73% of security staff have no formal security qualifications." The average corporate security policy covers areas where there has been most damage in recent years, such as viruses, data protection and privacy. Areas still being ignored are those most likely to erupt in the future, such as the security of data stored on laptops. "In the world of e-business there are no geographical and organisational boundaries. If levels of internet protection are not applied equally and everywhere, the weakest link will expose all others in the chain to attack." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Apr 12 2002 - 03:24:38 PDT