http://www.eweek.com/article2/0,1895,1979924,00.asp By Matt Hines June 21, 2006 Over half of all companies doing business in the technology, media and telecommunications sectors have experienced data breaches that potentially exposed their intellectual property or customer information, a new research report shows. According to the report, published by Deloitte Touche Tohmatsu, not only have many technology providers been hit with the same sorts of data losses that have recently plagued other industries, but a large number of the firms have also failed to make sufficient investments in security technologies aimed at preventing future incidents. Deloitte researchers said that security has long been "neglected" by technology, media and telecommunications companies despite their dependence on digital information to run their businesses. The consulting company surveyed executives at 150 such companies and found that even in the face of public embarrassment, financial losses and potential litigation linked to data breaches, many of the businesses have yet to make necessary investments to more adequately protect their information. According to the report, more than 50 percent of the companies surveyed admitted to having a data loss within the last 12 months, with roughly one-third of those incidents directly resulting in financial losses. Half of the companies reporting data breaches said the incidents involved internal attacks or policy violations. Of the firms surveyed, only 4 percent said their employers are doing enough to address the issue, and just 20 percent of respondents said that they feel confident that their companies' intellectual property is being sufficiently safeguarded. Some 24 percent of interviewees said that the security tools they have installed are being used effectively. While phishing schemes continue to pose a major threat to companies' customer information and brand reputations, only 18 percent of those executives surveyed said that their firms have employed technologies aimed at preventing the attacks. Deloitte said that 37 percent of the companies it interviewed have provided additional security training to their employees within the last 12 months. At the heart of the issue, the report said, is companies' reluctance to increase their spending on new security measures. While 74 percent of survey respondents said that they expect to spend more time and money on improving security in 2006, the average budget increase among those companies was only 9 percent. Fewer than 15 percent of those increasing their security budgets planned to do so by over 20 percent, Deloitte said. Despite the sobering statistics, Deloitte researchers said that technology, media and telecommunications companies are beginning to make changes to improve their IT defenses and security policies. Regulations such as the U.S. government's Sarbanes-Oxley Act have help pave the way for those improvements, said Brian Geffert, principal of security and privacy services at Deloitte. "Sarbanes got people to understand security a bit more, and now more people are catching up; more CEOs are communicating directly with chief information security officers, and I think we will see a lot more investment from these particular companies," said Geffert. "To a degree people are in the stage where they are still making plans, and not yet fully engaged in moving forward, but there's progress." Only 63 percent of respondents to the survey said they have a senior-level executive in their company dedicated to managing security issues, with 53 percent of information technology companies employing those types of leaders. Deloitte noted that those numbers were lower than the proportion of companies in other industries with C-level security executives already in place. Further, the survey found that 52 percent of technology, media and telecommunications companies consider security a problem for IT departments, rather than viewing the issue as a central business concern. The top five information security concerns identified by the executives polled were those related to instant messaging systems, phishing schemes, viruses that attack mobile devices, hacks into online brokerage accounts and other Web-based crimes. So-called insider attacks, or threats emanating from employees or other people with legitimate access to IT systems, are another major concern. However, only 59 percent of the companies interviewed said that they have any form of employee behavior monitoring technology in place. While 25 percent of respondents listed cited insider fraud as their primary internal security concern, 22 percent pointed to data losses such as the incidents that have recently victimized the U.S. Department of Veterans Affairs and insurance giant American International Group as their greatest fear. "These data leaks are starting to make people think differently about the manner in which they handle data, and you also have the emergence of small storage devices capable of carrying off a boatload of data, those things have opened people's eyes," Geffert said. "At the end of the day, it's all about getting people to look at their work habits differently and letting workers know what their responsibilities are for protecting the data; technology companies are a bit behind other industries today, but there's no reason that they cannot catch up." _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Thu Jun 22 2006 - 00:38:14 PDT