Month: July 2004

Some 91 per cent of North American and 88 per cent of European businesses use basic passwords to protect their data.

Only 45 per cent of North American businesses and 32 per cent in Europe use multiple log-ons or passwords with tiered or graded authentication.

Just 19 per cent of North American businesses use one-time passwords or access tokens, compared with five per cent of Europeans, six per cent of Asia-Pacific businesses and seven per cent of South Americans.

Meta Group analyst Tom Scholtz pointed out that businesses often have good intentions when it comes to improving security, but cost inevitably becomes a problem. “When it comes to things such as passwords, the whole issue is around strong authentication. You should have things like tokens and smartcards, but the issue always comes down to cost versus benefit,” he said.

“Many organisations have been investing in strong authentication but, when they’ve done the initial pilots and calculated the costs, not just for software and hardware but for management, they realise that the cost per user is usually high, and the business maybe doesn’t want to pay for it.”

Beatrice Rogers, e-business manager at industry trade body Intellect, accepts that cost is a major factor in the adherence to security best practice. “During the downturn there was a cutback in IT spending and people were looking for direct return on investment for their bottom line,” she explained. “It is very difficult to make a proposition on internal investment, especially for IT directors not reporting directly to the board, until there has been a problem and it’s too late. What will make an impact is the spate of regulations that are coming out around corporate governance – Basel, Basel II, Sarbanes-Oxley, FSA regulations that create the need for more data security – and that will probably push up IT spend over all.”

Peter Sommer, security expert at the London School of Economics, maintains that laziness is to blame. “The trouble is that we have 10 years of literature about this sort of thing, from the unreadably academic to the downright popular, and it’s astonishing that people are still being very lazy about it. The only thing that works is a well publicised disaster,” he said.

Biometrics, touted for the past seven years or so as the next great security solution, is still very much in its infancy, according to the survey.

Just two per cent of European respondents use biometric-based security, compared with five per cent of North Americans, four per cent of South American businesses and eight per cent of those in the Asia-Pacific region. According to Scholtz, these companies are going to stay in the minority for some time to come.

When it comes to security spending, the survey found that European companies allocate 11 per cent of their budgets to security, compared with 12 per cent in North America, 16 per cent in South America and 17 per cent in Asia-Pacific.

In the UK, the mean figure came out at just 9.4 per cent.

“These figures are very interesting,” said Scholtz. “As a rule we recommend organisations spend between three and eight per cent. If they’re spending 11 per cent, I’m not sure organisations always know how to capture that number.”

But Rogers suggested that company culture dictates the level of security spending.

“Security is only as good as the people who run it, so it comes down to training and culture and embedding that within the organisation,” she said.

“Having the systems and the policies are not enough if they are not being used and the policy sits on the shelf.

Culture has to be embedded from the very top right down to the very bottom.

“Best practice is about knowing which parts of your systems need which level of security.

“Each organisation must understand its own risk profile and allow this to drive its security spend.

However, even with an ample budget, if the spend is not effectively placed, then it will do little to mitigate risk,” he explained.

Enhancing application security has emerged as the biggest security priority over the next 12 months, followed by the installation of better access controls, securing remote access and monitoring user compliance in conjunction with policies.

http://www.vnunet.com/features/1156593

Out of 162 companies contacted, 84 percent said their business operations have been disrupted and disabled by Internet security events during the last three years.

Though the average rate of business operations disruption was one incident per year, about 15 percent of the surveyed companies said their operations had been halted and disabled more than seven times over a three-year period.

The portents for enterprises are alarming, given the increased use of the Internet for core business activities.

About three-fourths of the companies contacted by Aberdeen indicated they are increasing online sales and customer service, 55 percent will do more procurement and sourcing through the Web, and 48 percent want to enhance online distribution and fulfillment activities.

“Increasing usage of the Internet for these core business functions means that business disruptions from Internet security can seriously impact a company’s revenue,” Aberdeen analyst Jim Hurley said in a release.

The market researcher calculates that the median annual revenue loss rate can vary from US$6,700 for a US$10 million company to US$20.1 million for a Global 5,000 company with US$30 billion revenue.

The first six months of 2004 saw an increasing number of attacks on Internet security.

Disruptive Internet agents that have raised the level of concern include worms, viruses, spyware, hacker attacks, denial-of-service attacks, attacks on e-mail and Web systems, and attacks on company data and applications.

Some of the most malicious mass-mailing worms roaming the Net include the Bagle and Sasser worms.

Security experts recently unearthed a pernicious pop-up program that reads keystrokes and steals passwords.

Most businesses are worried that their operations are exposed to Internet-based threats.

For instance, 80 percent of survey respondents indicated that they’re worried about network outages, 86 percent are worried about Internet security threats, 84 percent are worried about compromised IT systems; 85 percent are worried about compromises to data integrity; and 71 percent are worried about human errors that may lead to Internet business disruptions.

http://www.zdnet.com.au/news/security/0,2000061744,39152626,00.htm