Finding 1:
IT Executives Say Security Is Adequate Despite Threats
Security snafus often make news, but most CIOs aren’t rattled. As previous CIO Insight surveys have shown, very few IT executives think their companies are at high risk, and most feel their IT security measures are up to the job. True, IT executives at firms that see themselves at high to moderate risk are somewhat more likely to express doubts, and as later findings show, there are still many threats. But increases in security budgets, along with confidence that security technologies are improving, are keeping anxieties under control enough so CIOs should beware of overconfidence.
Finding 2:
Online Fraud and Theft Has Hurt Few Companies
But more than one company in five report some sort of security breach. With all the publicity about phishing
and other online scams, one of the goals of this year’s security survey was to find out whether hackers, cybercriminals and insiders also were managing to steal money from companies, or whether the threat was becoming an especially important concern. That doesn’t appear to be the case. Only 8 percent say theft or diversion of money from their company and its customers is one of their top internal security concerns. Few respondents say their companies were robbed or had property stolen, and of those who do, more cite theft of paper documents than any other kind of theft. While consumers may be ravaged by identity theft and phishing scams, IT executives feel they are taking precautions and say their own companies are relatively immune from comparable threats and fraud. In fact, more expressed confidence their companies can avert these crimes than avoid being struck by viruses and other security problems.
Finding 3:
Careless Employees and Lost Laptops Are Danger No. 1
IT executives remain more concerned about thoughtless behavior and lack of security awareness than any other security-related employee behavior. That concern carries over to social networking sites and blogs. But what’s new is that this year’s survey finds lost or stolen laptops and storage media are considered the biggest threat to IT assets. Could stronger, better enforced policies help? It seems that way. Many feel their policies aren’t followed by a significant portion of their employees. And while most companies do have acceptable use policies in place, far fewer have policies for deleting no longer needed data, moving equipment and tapes and working with company or customer data outside the office.
Finding 4:
Weak Protection Policies Put Social Security Numbers at Risk
Forty-four percent of the organizations we polled collect their consumers’ Social Security numbers. How well are they able to protect them? Over 90 percent of respondents have a corporate privacy policy in place covering employee and customer data. However, while companies that collect Social Security numbers tend to be more stringent in protecting personal data than companies that don’t, many of their privacy policies have gaping holes or go unenforced. Furthermore, as our earlier security surveys have shown, many companies.
Finding 5:
Companies Are Diversifying Their Security Spending
The increase in security spending isn’t in IT staff, security suites or intrusion detection. Spending increases on specific line items are rising more slowly than the overall increase in IT spending. Instead, budgets are rising because more companies are spending on authentication, encryption, security training and
consulting. The additional spending on training is especially good news, given that so much of the threat to security is due to poor judgment rather than technical problems.
Finding 6:
More Companies Are Backing Off Windows Amid Doubts About Vista Security
Microsoft posted a 65% increase in third quarter earnings due to strong sales of Vista. Nevertheless, Microsoft
hasn’t convinced many IT executives that Vista is more secure than earlier versions of Windows—and that’s costing Redmond. These executives are much more likely to start moving systems away from Windows than those who believe Vista is a step up when it comes to security. Vista’s strong sales in the short term are obscuring a significant long-term problem.