“I think that we all know that IT security is a hot topic but that doesn’t necessarily translate into a willingness on the part of management to fund anything that has the IT security label,” said Frank Scavo, president of Computer Economics, which conducted the survey. “And that IT security investments are still subject to the normal budgetary constraints that the CIO has to face on a day-to-day basis.”
CE’s second annual IT Security Study also found that even though large firms are spending, on average, 2.5% of their IT budgets on security, only 56% of those surveyed felt this amount was adequate.
“We speculate that larger organizations are facing greater organizational inertia to adopting best practices or new technologies and mid-size firms are just more agile in those areas,” he said. “In some cases at very large organizations, changing management practices is like turning an ocean liner.”
The survey found that, to no one’s surprise, computer viruses, worms, and Trojans continue to evolve into new and more dangers forms. Cyber-criminals are targeting specific businesses and sectors for extortion, theft of consumer information, and outright theft.
This did have survey respondents worried: 86% said they believe that IT security threats will be even worse in the future. And in spite of the many governmental regulations enacted concerning information security and privacy, 57% of respondents believe that the government has not done enough to address IT security.
Yet, many companies fail to adopt basic and fundamental management practices to ensure IT security. Specifically:
• Although every company in the study have implemented firewalls to restrict virtual access to the organization’s network, 13% do not restrict physical access to corporate offices where network access is available.
• Nearly 20% of companies have not conducted an IT security audit in the past 24 months.
• Thirty-four percent of organizations do not restrict users from desktop operating system administration rights or root access, although this practice varies considerably by the size of the firm.
• A startling 65% of all organizations to not provide periodic IT security training for their employees.
• Similarly, 67% of companies do not conduct periodic software audits of desktop computers to ensure that unauthorized software or content are not present.
• In light of these deficiencies, there would appear to be many opportunities for outside consultants to assist companies in improving IT security. However, 56% of the firms in the study did not use IT security consultants in the past twelve months.
“From a CIO standpoint (this) is just one more piece of evidence that he can use to justify why he needs to take important actions that justify his priority for certain security actions,” concluded Scavo.