September 2006 Security Survey: It Can't Happen Here—But It Does

By Allan Alter  |  Posted 10-03-2006

Bad things happen to good customers. In the past few months, laptops containing Social Security numbers or customer information were stolen from the Veterans' Administration, Fidelity Investments, Ameriprise Financial and Ernst & Young. The theft of a file server at insurer AIG put a million customers' account data at risk. And organized criminals fraudulently withdrew money from personal accounts at several Massachusetts credit unions. Still, according to this year's CIO Insight Security Survey, IT executives remain confident in their security. Should they be?

Some of this month's survey results seem encouraging: Confidence in security technologies, most notably in antivirus software, remains high. Security spending has increased, although that's due as much to regulatory requirements as to security worries. And more respondents report their companies have an enterprisewide IT security strategy in place.

Still, there's evidence that CIOs could be overconfident. One in three companies reports a security breach in the past year, and one in four says it has been targeted by organized criminals. Management resistance and careless adherence to company security policies remain problems. And many companies still don't use encryption, or do not have policies in place for working with sensitive company data outside the office—policies that might have saved the VA, Fidelity and others a good deal of grief.

For IT security to work, companies must train and motivate personnel to consistently avoid risky behavior, build strong technical defenses that are quick to adapt to new threats, and ensure clear management support for both. What's worrisome is that too many companies aren't good at all three.

Research Guide:
Security Breaches Strike One in Three Companies

  • Finding 1: Employee negligence and Microsoft vulnerabilities are considered the most significant IT-security risks
  • Finding 2: Almost half of large companies have been targeted by online criminals.
  • Finding 3: One company in six has lost equipment containing company data in the past year.

    Despite Security Problems, Confidence in IT Security Remains High

  • Finding 4: Confidence in IT security remains high, despite security problems.

    CIOs Have High Confidence in Security Vendors

  • Finding 5: Overall satisfaction with security technologies is keeping confidence levels high.
  • Finding 6: The adoption of comprehensive strategies is also boosting confidence.

    CIOs Need To Fill Holes in Security and Privacy Policies

  • Finding 7: Most companies still don't do enough to keep employee and customer data private.
  • Finding 8: Companies still need to tighten their security policies.

    Additional findings from the Security Survey are in Allan Alter's Research Central blog:

  • Little Interest in Outsourcing Security
  • Is Web 2.0 a Security Threat?
  • The Threat of Cyberterrorism
  • Windows, Open Source and Security
  • 54% Say Microsoft Software Is a Security Threat
  • One in Three Companies Report Security Breaches

    Read our previous surveys on IT security, privacy and risk:

  • September 2005: Security Relaxes as IT Threats Increase
  • September 2004: Security and Privacy: Do You Feel More Secure Than Last Year?
  • August 2003: Is Your Security Comfort Level Too High?
  • September 2002: Rethinking Risk
  • February 2002: Security 2002
  • October 2001: Disaster Recovery 2001

    Related stories:
    Trends:

  • Field Report: Security in the World of Web 2.0 (September 2006)
  • The Death of Privacy (September 2006)
  • Intellectual Security: Patent Everything You Do, Before Someone Else Does (December 2005)
  • Outsourced Security: An Idea CIOs Loathe (September 2005)
  • Double Identity: Pressure Increases, but CIOs Still Struggle to Stop Identity Theft (September 2005)
  • Geekfathers: CyberCrime Mobs Revealed (Baseline May 2005)
  • Trust Yourself: The Business Value of Trust (September 2004)
  • Re-Engineering Security (August 2003)

    Case studies:

  • Case Study: Mohegan Sun and the Future of Data Security (September 2006)
  • Commerce Bancorp: Online Fraud—Hired Gun Hunts Phishers (September 2006):
  • Security: Safe Savings for MedicAlert (June 2006)
  • Lexis-Nexis: Ground Zero for War vs. Data Thieves (September 2005)
  • Ships Systems: Surviving the Storm, and the Recovery (September 2005)

    Interviews and Expert Voices:

  • Mike Dreyer, CIO, Visa: The Gatekeeper (September 2006)
  • Jeffrey M. Stanton: the Art of Employee Surveillance (September 2006)
  • Ira Winkler: Security is Easier—And Crooks Are Dumber—Than You Think (September 2005)
  • Larry Ponemon, Ponemon Institute: Making Privacy Work (September 2004)
  • Jim Seligman, CIO, Centers for Disease Control: An Ounce of Prevention (September 2004)
  • Steven Cooper, CIO, Department of Homeland Security: DHS CIO Answers Tough Questions (September 2004)
  • Richard Clarke, former National Coordinator for Security, Infrastructure Protection and Counterterrorism: Clear and Present Danger (August 2003)
  • Jonathan Zittrain, Harvard University: Diminishing Returns (August 2003)
  • Marc Rotenberg, Electronic Privacy Information Center: Building Big Brother (August 2003)
  • Bruce Schneier, Counterpane Internet Security: How to Fight (August 2003)
  • Paul Schoemaker, Wharton Business School: Embracing Uncertainty (September 2002)

    Technology:

  • The Trouble With WiFi (September 2006)
  • Encryption 101 (September 2006)
  • GPS Keeps Parolees on a Short, Smart Leash (September 2006)
  • Enterprise Rights Management Aims Digital Rights at Sensitive Documents (May 2006)
  • Outsourced Security: An Idea CIOs Loathe (September 2005)
  • Identity Management: Who Are You? (September 2004)

    Research:

  • Bleak Prospects for Corporate Data Center (April 2006)

    Whiteboards:

  • Hugh Dubberly: The Information Loop (September 2004)
  • Gary Lynch and Karen Avery: How to Improve Your IT Security Policy: A Six Sigma Approach (August 2003)

    Opinion:

  • Larry Downes: If It Ain't Broke... (September 2006)
  • Dan Gillmor: Customer Data May be Too Risky to Keep (September 2005)
  • Darwin John: Whose Data Is It, Anyway? (September 2004)
  • Eric Nee: Making Legitimate Business From Data Theft? (September 2005)
  • Eric Nee: Mind Your Own Business (September 2004)