Survey: Corporate IT still vulnerable to attack
By By Brian Fonseca
(IDG) -- According to a survey by Computer Sciences (CSC), many corporate information systems remain open to cyberattack.
And many IS managers don't consider security practices and policies to be a top priority in their organizations.
Geared specifically toward information security, the study's findings are a new addendum to CSC's 14th Annual Critical Issues of Information Systems Study released in August. The survey questioned more than 1,000 IT executives around the world.
The new data introduced this week examines responses following the September 11 attacks, says Ronald Knode, director of global security service delivery for CSC, which is based in El Segundo, California.
The survey showed that 46 percent of respondents don't have a formal information-security policy in place, 59 percent don't have a formal compliance program to support their information-system efforts, and 68 percent don't conduct regular security-risk analysis or security-status tracking.
Despite the growing number of complex computer assaults, Knode says many organizations still consider information security to be an IT issue and as such don't adequately prepare for its potential impact on general business operations.
"We believe that information risk management ought to be as much a part of a business decision as any other perspective or activity," Knode says. "It needs to be measured frequently to tell if (a company) is getting better or worse. Make security part of the business -- not only as sheriff, but enhancer or business enabler."
According to the CSC survey, the two most pressing issues for global technology executives are extracting the most value out of their existing enterprise systems and optimizing organizational value -- from senior management down -- in a collaborative effort.
Knode says that if a customer has the ability to test and retest the company's threshold of defense, IT managers can then pool the necessary elements to act on a security problem; assets can then be re-allocated and monitored more strictly in vulnerable areas within an infrastructure.
But with very few exceptions, there are no globally accepted information security standards that are easily measured and interpreted, he says.
Knode says that CSC's security customers have expressed interest in predominantly two things since September 11: doing a vulnerability assessment and determining the proper questions to ask internally and of a service provider once the vulnerability answers are clear. CSC operates outsourced security services in a program called CyberCare.
"That's a tremendously encouraging sign -- it says companies are willing to redefine the level of services they want and they never redefine it lower. It is a normal impulse to elevate," Knode says.
CSC recommends that businesses undertake the following steps to bolster their existing information-security policy and procedures.
Create a task force accountable for the operation and designation of an information-security policy program.
Establish a clear and concise information-security agenda.
Carry out regularly scheduled audits and investigate results.
Disperse information to teams within an organization, define roles.
Firms warned of 'drive-by hackers'
November 21, 2001
Companies examine cyber-security
September 21, 2001
Viruses are getting faster, tougher
September 20, 2001
RELATED IDG.net STORIES:
2001 InfoWorld security solutions research report
Security concerns top Comdex agenda
IBM creates institute, council on privacy
Can security through obscurity be a good thing?
Wireless security is concern, says Handspring
Feds urged to boost cybersecurity
Business Layers enhances security software
Gloomy skies over IT security clearing
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
TECHNOLOGY TOP STORIES:
Report: SUVs pose danger to cars
New telemarketer tool trumps TeleZapper
Terra Lycos logs $2.2B loss
AOL to offer song downloads
Microsoft seeks fiscal fountain of youth
|Back to the top|