September 2006 Security Survey: Security Breaches Strike One in Three Companies

By Allan Alter  |  Posted 09-07-2006

September 2006 Security Survey: Security Breaches Strike One in Three Companies

The first set of results from our latest annual Security Survey provides an update from the war zone that is IT security. There's plenty of bad news: over half of companies over $1 billion report security breaches in the past 12 months, and 45 percent have been targeted by organized criminals. Penetration by spyware and viruses remain problems, but they're not the only ones: nearly half of all companies that have had security breaches say equipment containing company data has been lost or stolen. Many other organizations besides the Veterans Administration and Fidelity Investments have lost laptops containing sensitive personal data.

What's behind these unhappy numbers? We asked respondents to name their top three internal security concerns, and which technologies are seen as the top three security threats. Careless, risky employee behavior, lack of awareness and management resistance still have CIOs worried, while vulnerabilities in Microsoft software top the list of technical threats. In fact, 30 percent say their company has moved some systems off Windows to reduce security risk.

We'll be releasing more findings from the survey each Wednesday this month; see below for the full schedule.

For more data and analysis, see CIO Insight 's Research Center blog at go.cioinsight.com/researchcentral

Next page: Employee negligence and Microsoft vulnerabilities are considered the most significant IT-security risks.

Employee negligence and Microsoft

vulnerabilities are considered the most significant IT-security risks.">

Finding 1: Employee negligence and Microsoft vulnerabilities are considered the most significant IT-security risks.
There's been no change in the top employee security concerns. But it is revealing to note that when managers resist security policies, their employees are also less likely to follow their companies' policies. Meanwhile, Redmond's worst fears are coming true: Many companies have reduced their Windows dependency because of security concerns.



Next page: Almost half of large companies have been targeted by online criminals.

Almost half of large

companies have been targeted by online criminals.">

Finding 2: Almost half of large companies have been targeted by online criminals.
Besides organized crime mobs, large companies are likely to be targeted by disgruntled ex-employees, because bigger companies tend to have more morale problems, as our August "IT Organization Survey" showed. Large companies may also report more attacks because they have invested in detection technology, while crooks and malcontents at smaller companies could be flying under the radar.

Next page: One company in six has lost equipment containing company data in the past year.

One company in

six has lost equipment containing company data in the past year.">

Finding 3: One company in six has lost equipment containing company data in the past year.
Many of the year's biggest IT-security news stories, such as the Veterans Administration scandal, involved stolen laptops or equipment. These were not isolated incidents: One in three of our respondents admit to security breaches in the past year. And of those, nearly half say these breaches involved lost or stolen equipment. Viruses and spyware remain the most common problems.

Research Guide:

  • Finding 1: Employee negligence and Microsoft vulnerabilities are considered the most significant IT-security risks.
  • Finding 2: Almost half of large companies have been targeted by online criminals. .
  • Finding 3: One company in six has lost equipment containing company data in the past year.

    Upcoming results from the Security survey:

  • Sept 13: Confidence in IT security remains high, despite security problems.
  • Sept 20: Why confidence remains high: security technologies and strategies.
  • Sept: 27: Are IT executives being overconfident? Protecting data, tightening policies.

    Read our previous surveys on the IT security, privacy and risk:

  • September 2005: Security Relaxes as IT Threats Increase
  • September 2004: Security and Privacy: Do You Feel More Secure Than Last Year?
  • August 2003: Is Your Security Comfort Level Too High?
  • September 2002: Rethinking Risk
  • February 2002: Security 2002
  • October 2001: Disaster Recovery 2001

    Related stories:
    Trends:

  • Double Identity: Pressure Increases, but CIOs Still Struggle to Stop Identity TheftGeekfathers: CyberCrime Mobs Revealed (Baseline May 2005)

    Case studies:

  • Lexis-Nexis: Ground Zero for War vs. Data Thieves (Sept 2005)

    Interviews and Expert Voices:

  • Ira Winkler: Security is Easier—And Crooks Are Dumber—Than You Think (Sept 2005)

    Opinion:

  • Dan Gillmor: Customer Data May be Too Risky to Keep (Sept 2005)
  • Eric Nee: Making Legitimate Business From Data Theft (Sept 2005)