Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, July 12, 2004

Cost dictates security plans

Businesses across the globe believe that their operations are under greater threat than ever before.  But findings from the Global Information Security Survey, which questioned 7,000 business technology and security professionals in 40 countries, highlights the primitive measures being used to defend against a significant menace.

\Some 91 per cent of North American and 88 per cent of European businesses use basic passwords to protect their data.

Only 45 per cent of North American businesses and 32 per cent in Europe use multiple log-ons or passwords with tiered or graded authentication.

Just 19 per cent of North American businesses use one-time passwords or access tokens, compared with five per cent of Europeans, six per cent of Asia-Pacific businesses and seven per cent of South Americans.

Meta Group analyst Tom Scholtz pointed out that businesses often have good intentions when it comes to improving security, but cost inevitably becomes a problem.  “When it comes to things such as passwords, the whole issue is around strong authentication.  You should have things like tokens and smartcards, but the issue always comes down to cost versus benefit,” he said.

“Many organisations have been investing in strong authentication but, when they’ve done the initial pilots and calculated the costs, not just for software and hardware but for management, they realise that the cost per user is usually high, and the business maybe doesn’t want to pay for it.”

Beatrice Rogers, e-business manager at industry trade body Intellect, accepts that cost is a major factor in the adherence to security best practice.  “During the downturn there was a cutback in IT spending and people were looking for direct return on investment for their bottom line,” she explained.  “It is very difficult to make a proposition on internal investment, especially for IT directors not reporting directly to the board, until there has been a problem and it’s too late.  What will make an impact is the spate of regulations that are coming out around corporate governance - Basel, Basel II, Sarbanes-Oxley, FSA regulations that create the need for more data security - and that will probably push up IT spend over all.”

Peter Sommer, security expert at the London School of Economics, maintains that laziness is to blame.  “The trouble is that we have 10 years of literature about this sort of thing, from the unreadably academic to the downright popular, and it’s astonishing that people are still being very lazy about it.  The only thing that works is a well publicised disaster,” he said.

Biometrics, touted for the past seven years or so as the next great security solution, is still very much in its infancy, according to the survey.

Just two per cent of European respondents use biometric-based security, compared with five per cent of North Americans, four per cent of South American businesses and eight per cent of those in the Asia-Pacific region.  According to Scholtz, these companies are going to stay in the minority for some time to come.

When it comes to security spending, the survey found that European companies allocate 11 per cent of their budgets to security, compared with 12 per cent in North America, 16 per cent in South America and 17 per cent in Asia-Pacific.

In the UK, the mean figure came out at just 9.4 per cent.

“These figures are very interesting,” said Scholtz.  “As a rule we recommend organisations spend between three and eight per cent.  If they’re spending 11 per cent, I’m not sure organisations always know how to capture that number.”

But Rogers suggested that company culture dictates the level of security spending.

“Security is only as good as the people who run it, so it comes down to training and culture and embedding that within the organisation,” she said.

“Having the systems and the policies are not enough if they are not being used and the policy sits on the shelf.

Culture has to be embedded from the very top right down to the very bottom.

“Best practice is about knowing which parts of your systems need which level of security.

“Each organisation must understand its own risk profile and allow this to drive its security spend.

However, even with an ample budget, if the spend is not effectively placed, then it will do little to mitigate risk,” he explained.

Enhancing application security has emerged as the biggest security priority over the next 12 months, followed by the installation of better access controls, securing remote access and monitoring user compliance in conjunction with policies.

Posted on 07/12