So-called “defense-in-depth” is just another way of saying “you’ve got a bunch of technologies that overlap and that don’t handle security in a straightforward manner,” says Alastair MacWillson, global managing director of Accenture’s security practice. “It’s like putting 20 locks on your door because you’re not comfortable that any of them works.”
Yet a case can be made that respondents aren’t worried enough, particularly about lost and stolen company and customer data. Only one-third of U.S. survey respondents and less than half of those in China cite “preventing breaches” as their biggest security challenge. Only one-quarter of U.S. respondents rank either unauthorized employee access to files and data or theft of customer data by outsiders in their top three security priorities, and even fewer put the loss or theft of mobile devices containing corporate data or the theft of intellectual property in that category.
This lack of urgency persists despite highly publicized–and highly embarrassing–data-loss incidents in the last year and a half involving retailer TJX, the Department of Veterans Affairs, and the Georgia Community Health Department, among many, many others. Instead, as with last year, the top three security priorities are viruses or worms (65% of U.S. respondents, 75% in China), spyware and malware (56% and 61%), and spam (40% in both countries).
So are security pros focusing on the wrong things? Yes, says Jerry Dixon, director of Homeland Security’s National Cyber Security Division. “You need to know where your data resides and who has access to it,” Dixon says. It seems as though security pros are missing the point, choosing to focus on the security threats with which they’re most familiar as opposed to emerging threats designed to cash in on the value of customer data and intellectual property. “We’re always concerned about people sharing their authentication credentials with someone else or with information leaving the organization via laptops or memory sticks,” Marreel says.
For instance, exploiting known operating system vulnerabilities is the leading method of attack in both countries–43% of respondents in the United States and a whopping two-thirds in China say so. Of the 804 U.S. respondents admitting to having experienced breaches or espionage in the past 12 months, 18% attribute the problem to unauthorized employees, and 16% suspect authorized users and employees. But that’s down from nearly 25% of companies reporting breaches in 2006.
Laptops and portable storage devices are being stolen from employees’ cars and homes in mind-boggling numbers. Last month, a backup computer storage device with the names and Social Security numbers of every employee in the state of Ohio–more than 64,000 records–was stolen from a state intern’s car. In April, the Georgia Department of Community Health reported the loss of 2.9 million records containing personal information, including full names, addresses, birth dates, Medicaid and children’s health care recipient identification numbers, and Social Security numbers, when a computer disk went missing from service provider Affiliated Computer Services, which was contracted to handle health care claims for the state. “If a partner or service provider has access to any of our data, we want a security paragraph written into our contract that gives us the right to perform a security audit against them and to perform these audits regularly,” says Randy Barr, chief security officer of WebEx, a Web-conferencing company.
Still, 42% of respondents say data leakage is bad enough that employees should be fined or punished in some way for their role in security breaches, once those employees have been trained. Consultant MacLean takes an even tougher tack: “Termination is pretty severe, but in some cases it’s appropriate, as is civil or even criminal prosecution.”
A significant number of respondents want to put the responsibility for porous security on the companies selling them security technology. Forty-five percent of U.S. companies and 47% of companies in China think security vendors should be held legally and financially liable for security vulnerabilities in their products and services. Some of the unease about corporate IT security may stem from the fact that most companies don’t have a centralized security executive assessing risks and threats and then calling the shots to address these concerns.
The process for setting security policy in most companies is collaborative, and groups comprising the CIO, CEO, IT management, and security management all have input. Eisenhower Medical Center doesn’t have a chief information security officer, instead relying on its general counsel to make regulatory compliance decisions, and on CIO Perez, working with system administrators, to set security policy. “We gather information from each director in each department to find out what systems and data they need access to,” Perez says. “The doctors want easy access, and we’re trying to make it more secure.”
The number of chief information security officers has grown significantly in the last year. Roughly three-quarters of survey respondents say their companies have CISOs, compared with 39% in 2006. CISOs predominantly report to the CEO or the CIO.
When it comes to the ultimate sign-off, however, half of U.S. companies say that the CEO determines security spending.
In the United States, the greatest percentage of respondents, 37%, say their companies assess risks and threats without the input of a CISO, while an astounding 22% say they don’t regularly assess security risks and threats at all.
In the United States, the portion of IT budgets devoted to security remains pretty flat; companies plan to spend an average of 12% this year, compared with 13% last year. China, on the other hand, is on a security spending spree: The average percentage of IT budget devoted to security this year is 19%, compared with 16% in 2006. It’s interesting to note that 39% of U.S. companies and 55% in China expect 2007 security spending levels to surpass those in 2006.
If it all sounds overwhelming, don’t panic. While information security has gotten more complex–as attackers alter both their methods and their targets, and companies layer more and more security products on top of each other–the good news is that the measures required to plug most security holes often come down to common sense, an increasingly important quality to look for in any employee or manager handling sensitive data.
http://www.darkreading.com/document.asp?doc_id=129128&WT.svl=cmpnews1_1