Internet Security Not Pressing to All

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.washingtonpost.com/wp-dyn/articles/A54670-2002Sep8.html

By Nicholas Johnston
Washington Post Staff Writer
Monday, September 9, 2002; Page E05 

Companies increasingly identify computer security as one of their top
priorities, but a significant minority admit that they are
inadequately protected, according to a survey to be released today.

"The positive news is that industry is talking the talk of the need
for improved information security," said David McCurdy, executive
director of the Internet Security Alliance. "The negative news is that
very few are walking the walk."

Nearly 90 percent of 227 companies that responded to a survey said
information security was essential to the survival of their business.  
However, 30 percent said their plans for dealing with technology
threats were inadequate.

The reason is that the threat of cyber attack remains relatively new
for many businesses, said Doug Goodall, chief executive of the
computer security firm RedSiren Technologies of Pittsburgh. And it
will take some time for companies to adjust to those new threats and
make appropriate responses.

"The challenge for fully a third of organizations interviewed is that
they still have a long way to go from awareness to proactive
management of the risks," Goodall said.

The Internet Security Alliance, the National Association of
Manufacturers and RedSiren conducted the survey last month, receiving
responses from information security specialists at 227 companies
worldwide. Although the survey is not statistically valid, Goodall
called the responses a fair representation of the experience of most
businesses.

About half of the respondents reported that the Sept. 11 attacks made
them "more concerned" about cyber-terrorism, but almost as many
respondents reported no change in their attitude.

And the economic fallout from the terrorist attacks could also be why
companies are slow to adopt more rigorous security procedures. "A lot
of companies right now are trying to survive," McCurdy said. "This has
been a cost item."

According to those who conducted the survey, many companies might
still believe that the potential losses from a cyber attack are not
yet great enough to warrant increased spending on security.

"A sizable portion [of companies surveyed] believes this is manageable
risk or an acceptable risk," McCurdy said. "That's a mistake."

What might be necessary to change those perceptions is a computer
security event the magnitude of last year's terrorist attacks to focus
attention on the problem, just as those attacks changed security
procedures at airports, for instance.

"They [corporate executives] have not in most cases had a debilitating
attack on their business," said Tom Orlowski, vice president for
information systems at the National Association of Manufacturers.  
"It's kind of like, 'Overall the U.S. has a huge risk, but me and my
company? I don't have much of a risk.' "

Almost a third of companies said they were unprepared for possible
cyber attacks, but 33 percent also said company executives have not
taken enough interest in the issue.

"It's just not high enough on their priority list," Orlowski said.


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.