[ISN] CSO survey: Companies lack plans in case of terrorist attacks

From: InfoSec News (isn@private)
Date: Thu Jun 10 2004 - 02:45:43 PDT

  • Next message: InfoSec News: "[ISN] Security UPDATE--Checking Up on Products--June 9, 2004"

    By Paul Roberts
    JUNE 09, 2004 
    A majority of security executives surveyed said their companies don't
    have plans to cope with an unconventional terrorist attack, even
    though most believe that a terrorist attack of some kind is likely to
    occur in the coming months, according to the results of a poll
    released by CSO magazine today.
    The survey of 476 chief security officers and senior security
    executives found that 60% believe that a terrorist attack is likely in
    Boston or New York, which are hosting the Democratic and Republican
    political conventions this summer, respectively. While 63% of CSOs
    said their companies have planned for conventional attacks such as
    bombings or hostage taking, 61% said they haven't planned for
    unconventional attacks using chemical, biological or nuclear weapons,
    according to the magazine.
    The online survey of CSO subscribers was conducted between April 27
    and May 18, 2004, and has a 4.5% margin of error. CSO subscribers were
    asked their opinions on a number of issues, including terrorism,
    politics, IT security policy and purchasing decisions.
    While planning for unconventional terrorist attacks is rare, the CSOs
    reported much better preparation for threats such as cyberattacks,
    natural disasters and violent employees. Ninety-four percent of those
    surveyed said they have contingency plans in place for natural
    disasters and 86% for cyberattacks. Eighty percent said their
    companies are prepared for attacks from violent employees or former
    Indeed, the survey showed that companies are quick to slam the door on
    former employees. Seventy-four percent of those surveyed block network
    access to e-mail and critical documents within one business day of
    employees being fired or leaving a company, and 81% block physical
    access within one business day.
    The theft of intellectual property or other proprietary information is
    also a top concern of CSOs, with 91% saying that managing access to
    critical information and documents is either "extremely important" or
    "very important."
    The study also showed that those concerns are often well placed.  
    Fifteen percent of the respondents said their employer has lost or had
    critical documents or corporate information copied without
    authorization in the past year. Almost a quarter said they could not
    be sure whether such losses had occurred at their company.
    However, concerns about the theft of proprietary information aren't
    influencing decisions about which security products to buy. Only 11%
    of the CSOs surveyed said that the theft of intellectual property was
    the primary factor in security spending, which averaged $16.6 million
    annually among those surveyed. Instead, the desire to comply with
    government regulations is a bigger motivator. Forty-nine percent cited
    "issues related to regulatory compliance" as the prime reason behind
    their security purchases.
    Companies need to have policies and processes in place that protect
    their most important assets and ensure the safety and welfare of their
    employees, said Lew McCreary, CSO's editor in chief. Among other
    consequences, organizations that are shown to have ignored the
    interests of either shareholders or employees in the wake of a
    disaster could be held legally liable for losses and damage.
    Clearly articulated policies and procedures for emergencies and
    frequent exercises that reinforce those procedures are a good place to
    start, McCreary said. But companies also need to weigh the costs and
    benefits of any plans to guard against attacks, including those
    involving weapons of mass destruction.
    "Companies can't go crazy worrying about the likelihood of a terrorist
    event if the cost of remediating such an event is going to be
    prohibitive," he said.
    CSO magazine is published by CXO Media Inc., a subsidiary of
    International Data Group, which also owns the IDG News Service and
    ISN mailing list
    Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie!
    (Broke? Spend 15 minutes a day on the project!)

    This archive was generated by hypermail 2b30 : Thu Jun 10 2004 - 05:20:27 PDT