September 2006 Security Survey: CIOs Need to Fill Holes in Security and Privacy Policies

By Allan Alter  |  Posted 09-27-2006

September 2006 Security Survey: CIOs Need to Fill Holes in Security and Privacy Policies

Three-quarters of CIOs have confidence in their company's IT security, but there are plenty of reasons to wonder why they do. In our survey, we asked about 14 IT security practices and about seven general practices for protecting customer and employee data. Of them, only three are in place at 80 percent or more of our respondents' companies. Some policies, such as rules governing working with company data outside the office, the use of instant messaging, and password protection for hard drives, are done by only about half of respondents.

The reality? IT security is still riddled with holes. Antivirus software is almost ubiquitous and VPNs are now commonplace, but that's not enough to ensure security. If companies want to get serious about preventing thieves from stealing data, they will have to start closing these gaps.

For more data and analysis, see CIO Insight 's Research Center blog at go.cioinsight.com/researchcentral.

Next page: Most companies still don't do enough to keep employee and customer data private.

Most companies still

don't do enough to keep employee and customer data private.">

Finding 7: Most companies still don't do enough to keep employee and customer data private.
There's been some improvement, but only half of our respondents notify people immediately when their private data has been taken. And other than adding password protection to company computers, companies haven't taken additional steps to secure data. The lack of progress is placing companies at risk—of lawsuits, financial losses and more restrictive privacy legislation.

Next page: Companies still need to tighten their security policies.

Companies still need to

tighten their security policies.">

Finding 8: Companies still need to tighten their security policies.
Only four out of 14 security policies are solidly in place at three-quarters or more of our respondents' companies. And given the news reports about tapes and backup data that were lost during physical moves, it's surprising that so few companies have implemented policies to guide third parties such as drivers. Overall, there's plenty of room for improvement, and more reason to question whether IT executives have excessive faith in their security.

Research Guide:

  • Finding 1: Employee negligence and Microsoft vulnerabilities are considered the most significant IT-security risks
  • Finding 2: Almost half of large companies have been targeted by online criminals.
  • Finding 3: One company in six has lost equipment containing company data in the past year.
  • Finding 4: Confidence in IT security remains high, despite security problems.
  • Finding 5: Overall satisfaction with security technologies is keeping confidence levels high.
  • Finding 6: The adoption of comprehensive strategies is also boosting confidence.
  • Finding 7: Most companies still don't do enough to keep employee and customer data private.
  • Finding 8: Companies still need to tighten their security policies.

    Read our previous surveys on IT security, privacy and risk:

  • September 2005: Security Relaxes as IT Threats Increase
  • September 2004: Security and Privacy: Do You Feel More Secure Than Last Year?
  • August 2003: Is Your Security Comfort Level Too High?
  • September 2002: Rethinking Risk
  • February 2002: Security 2002
  • October 2001: Disaster Recovery 2001

    Related stories:
    Trends:

  • Double Identity: Pressure Increases, but CIOs Still Struggle to Stop Identity Theft (September 2005)
  • Intellectual Security: Patent e-Engineering Security (August 2003)

    Case studies

  • Lexis-Nexis: Ground Zero for War vs. Data Thieves (September 2005)
  • Ships Systems: Surviving the Storm, and the Recovery (September 2005)

    Interviews and Expert Voices:

  • Ira Winkler: Security is Easier—And Crooks Are Dumber—Than You Think (September 2005)
  • Larry Ponemon, Ponemon Institute: Making Privacy Work (September 2004)
  • Jim Seligman, CIO, Centers for Disease Control: An Ounce of Prevention (September 2004)
  • Bruce Schneier, Counterpane Internet Security: How to Fight (August 2003)

    Technology:

  • Outsourced Security: An Idea CIOs Loathe (September 2005)
  • Identity Management: Who are You? (September 2004)

    Whiteboards:

  • Hugh Dubberly: The Information Loop (September 2004)
  • Gary Lynch and Karen Avery: How to Improve Your IT Security Policy: A Six Sigma Approach (August 2003)

    Opinion:

  • Dan Gillmor: Customer Data May be Too Risky to Keep (September 2005)
  • Darwin John: Whose Data Is It, Anyway? (September 2004)
  • Eric Nee: Making Legitimate Business From Data Theft? (September 2005)