Regulatory compliance, internal attacks, and the vulnerability of electronic communications - especially instant messaging and e-mail - are among the key factors reshaping data security systems, according to the US results of the 8th annual Global Information Security Survey by InformationWeek Magazine and Accenture.

At the same time, the US Information Security Survey uncovered indications that companies and organizations are failing to provide rigorous protection of customer and client data. The survey, which was conducted over the Web this summer, received responses from more than 2,500 US information technology and security professionals.


-- Compliance is reshaping corporate security practices.

-- Security attacks are becoming increasingly more sophisticated, yet basic passwords continue to be the most common line of defense.

-- Security breaches are increasingly coming from within, forcing companies to keep tabs on their employees.

-- Vulnerabilities in operating systems and applications - including the use of instant messaging - continue to be common points of entry.

-- Concern continues to grow over privacy and identity theft, yet organizations are failing to provide rigorous protection of customer data.

"Companies are taking a more structured approach to information security and making it more of a priority," said Alastair MacWillson, partner in charge of Accenture's security practice. "Many companies are beginning to see the benefits in leveraging new technologies to proactively assess and manage threats and vulnerabilities, and are consolidating, integrating and securing applications to improve integrity and productivity."

Regulatory Impact

There are indications that compliance requirements like Sarbanes-Oxley, HIPAA, the U.S. Home Security Act and the US Patriot Act are reshaping corporate security practices. According to the survey:

-- 60 percent view regulatory compliance as more of a governance issue than a technology problem.

-- Over half of the survey respondents report that government regulations have pressured their company to adopt a more structured approach to information security.

-- About two in five say the threat of government penalties has made achieving regulatory compliance an information security priority.

-- While only a third say achieving compliance is a main catalyst of security-related purchases, over half say it has made their company more cautious about their use of security hardware, applications and services.

Threat Perception and Attacks

Security attacks are constantly evolving, making it difficult for companies to stay one step ahead.

For example:

-- Malicious intent is a concern for 45 percent of respondents. Yet few tie their firm's vulnerability to the lack of a well-defined information security strategy or managerial involvement in security practices and policies.

-- One third of respondents blame budget constraints for their firm's susceptibility to security breaches.

-- Significant damages attributed to actual attacks - financial losses, security incursions and identity theft - are uncommon.

-- Planted spyware code, however, has caused slowdowns in network performance and employee productivity in three quarters of the companies.

-- Viruses affected two-thirds of surveyed sites last year.

-- E-mail is proving to be the launching point of assaults, with falsified information in an e-mail attachment reported as the primary method of attack at 35 percent of surveyed sites.

-- Minor financial losses were confirmed at one in five sites.

Security Tactics

As a result of the vulnerabilities with instant messaging and E-mail, electronic communication has become a major focus of employee monitoring with attachments and content of outbound messages carefully scrutinized. Basic-user passwords still remain the most prevalent method used by companies to protect themselves against security breaches. Informing employees of privacy or behavior standards, posting privacy policies online and using secure Web transactions are the steps taken to safeguard the privacy of customer data. In addition, the survey reveals that:

-- Only a quarter of respondents report no monitoring of workers.

-- The monitoring of instant messaging has jumped from 25 percent to 34 percent since last year's survey.

-- Only 15 percent of sites have created the position of chief privacy officer and less than 30 percent have conducted privacy policy audits to ensure there are adequate guidelines. In fact, practices concerning the security of customer data are categorized as only fairly rigorous at half of the sites.

Security Costs

A majority of US companies spend below $500,000 on security expenses, with half anticipating increased spending in 2005 over the previous year, and only 3 percent expecting spending to decline. Performance and return on investment count the most when purchasing security products.

"Despite the fact that information security professionals are adopting many state-of-the-art security practices, certain lapses still exist that can result in serious financial losses for corporations or a violation of customer trust," said Rusty Weston editor, InformationWeek Research. "Security professionals lack the ability to control every point of entry, but worse, they have too much faith in technology that claims to automate network defenses." read more