I recently came across some very interesting survey information published by Deloitte Touche Tohmatsu (DTT). The company conducted a survey of security executives in 150 companies from 30 countries whose business relates to technology, media, and telecommunications (TMT). The results shed some light on why some companies are open to security breaches. http://www.deloitte.com/dtt/press_release/0,1014,sid%253D2283%2526cid%253D122077,00.html
According to the survey results, the majority of the surveyed companies consider themselves reactive (as opposed to proactive) when it comes to investing in information security. In other words, they spend money in response to breaches but don't typically spend nearly as much money to prevent breaches.
Only 4 percent of the companies think they're addressing the problem sufficiently; only 25 percent have already implemented or are in the process of implementing antiphishing protection; only 37 percent provided security training to employees over the past 12 months; only 24 percent believe their current security tools are being used effectively; and only 33 percent perform security risk assessments.
Another interesting pair of findings is that half of the companies who suffered breaches over the past 12 months were victims of insider attacks and only 47 percent of the companies believe they are adequately protected against such internal attacks.
Brian Geffert, principal of Deloitte Security and Privacy Services, said about the survey findings, "When it comes to security, TMT companies are talking the talk but not yet walking the walk. Survey respondents say that security is a top concern, but it is still not being addressed across the organization from a risk-based perspective, despite recent breaches costing million\[s\] of dollars of damage and inestimable harm to companies' reputations, brands, revenue and productivity. In fact, more than half of security executives surveyed admit that their security investments are falling behind the threats or at best just catching up."
Eye opening, isn't it? In a parallel study, DTT polled financial institutions as well as life sciences and health care companies. Although DTT didn't say how many companies took part in those studies, it did say that 78 percent of the financial institutions had experienced an external security breach and 49 percent had experienced an internal security breach in the past year. Seventeen percent of life sciences and health care companies had experienced an external security breach and 9 percent had experienced internal breaches. Wow!
How many news stories have you read over the past several months about some company suffering either an intrusion or equipment loss that exposed people's private information? We can't go more than a week or so without yet another of these stories coming to the surface, which just reinforces DTT's findings.
It seems to me, even more so in light of DTT's survey results, that the problems of intrusion and identity theft must be due to a lack of diligence, or maybe a lack of funding to support proper diligence.
After all, with proper funding, how hard is it to diligently defend your enterprise network, and how hard is it to diligently protect your mobile computing devices and backup media? The former can be tedious, of course, but not overly difficult. The latter requires mostly attentiveness and common sense on the part of users to avoid theft or other forms of loss.
If, in your opinion, your company isn't providing adequate resources for a diligent approach to information security, consider pointing your executives or decision makers to this editorial and DTT's press release. Maybe it'll help open some eyes.