Forwarded from: William Knowles <wkat_private> http://www.washingtonpost.com/wp-dyn/articles/A54670-2002Sep8.html By Nicholas Johnston Washington Post Staff Writer Monday, September 9, 2002; Page E05 Companies increasingly identify computer security as one of their top priorities, but a significant minority admit that they are inadequately protected, according to a survey to be released today. "The positive news is that industry is talking the talk of the need for improved information security," said David McCurdy, executive director of the Internet Security Alliance. "The negative news is that very few are walking the walk." Nearly 90 percent of 227 companies that responded to a survey said information security was essential to the survival of their business. However, 30 percent said their plans for dealing with technology threats were inadequate. The reason is that the threat of cyber attack remains relatively new for many businesses, said Doug Goodall, chief executive of the computer security firm RedSiren Technologies of Pittsburgh. And it will take some time for companies to adjust to those new threats and make appropriate responses. "The challenge for fully a third of organizations interviewed is that they still have a long way to go from awareness to proactive management of the risks," Goodall said. The Internet Security Alliance, the National Association of Manufacturers and RedSiren conducted the survey last month, receiving responses from information security specialists at 227 companies worldwide. Although the survey is not statistically valid, Goodall called the responses a fair representation of the experience of most businesses. About half of the respondents reported that the Sept. 11 attacks made them "more concerned" about cyber-terrorism, but almost as many respondents reported no change in their attitude. And the economic fallout from the terrorist attacks could also be why companies are slow to adopt more rigorous security procedures. "A lot of companies right now are trying to survive," McCurdy said. "This has been a cost item." According to those who conducted the survey, many companies might still believe that the potential losses from a cyber attack are not yet great enough to warrant increased spending on security. "A sizable portion [of companies surveyed] believes this is manageable risk or an acceptable risk," McCurdy said. "That's a mistake." What might be necessary to change those perceptions is a computer security event the magnitude of last year's terrorist attacks to focus attention on the problem, just as those attacks changed security procedures at airports, for instance. "They [corporate executives] have not in most cases had a debilitating attack on their business," said Tom Orlowski, vice president for information systems at the National Association of Manufacturers. "It's kind of like, 'Overall the U.S. has a huge risk, but me and my company? I don't have much of a risk.' " Almost a third of companies said they were unprepared for possible cyber attacks, but 33 percent also said company executives have not taken enough interest in the issue. "It's just not high enough on their priority list," Orlowski said. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Sep 09 2002 - 01:39:01 PDT