By Will Sturgeon, 15 March 2005 08:40
NEWS European IT chiefs have revealed a shocking awareness of security threats apparently favouring an 'ignorance is bliss' mentality which leaves them all highly confident about the state of their crumbling security.
Latest research reveals the majority of IT bosses are confident about their companies' security yet when drilling down through the findings we find a picture of disarray as companies lose track of laptops, remote access, the latest threats and the risk of employee wrong-doing.
According to findings released today, 99 per cent of respondents said they are protected from threats while only three per cent of European IT bosses don't believe they will ever be 100 per cent secure.
Furthermore not a single UK recipient doubts they will attain 100 per cent secure status. Such findings seem more indicative of the fact they don't realise what the threats are rather than being evidence of them being on top of their risk.
Mark Murtagh, European technical director at Websense, which commissioned the research, said it paints a worrying picture for companies.
"Perhaps the thing which causes the most concern is this is what they are reporting back to their board," he said. "We obviously still need a real wake-up call."
Eight per cent of companies have no additional security in place beyond desktop antivirus and a firewall and many are being slow to react to the latest threats.
Despite it being an issue which has hit the headlines in a big way over the past 12 months spyware is still getting an easy ride, with 35 per cent of companies having no protection of any kind in place.
And the ways in which spyware can get onto a machine continue to thrive with 56 per cent of firms letting staff install and use peer-to-peer software a common source of malicious code and 43 per cent of firms doing nothing to limit employee web-surfing. Furthermore 62 per cent of companies are doing nothing to limit staff access to phishing sites.
And if staff decide to turn on their company and steal data or access areas of the network they shouldn't, very few firms (40 per cent) are equipped to identify them.
And when it comes to staff out and about on the move there appear to be huge holes through corporate security. More than two-thirds of UK IT bosses (68 per cent) think laptops, which are taken home or used remotely and then plugged back into the network, pose a security risk and yet only a quarter (26 per cent) are really doing anything about it. Almost the same amount (22 per cent) believe staff installing peer-to-peer software, games or freeware for use at home poses no threat to the enterprise when that laptop come back within the security perimeter.
"Too many companies are leaving these matters in the hands of their employees," said Murtagh. "But you cannot rely upon the individual to take the necessary measures to protect their laptops and consequently the network."
More than two-thirds (69 per cent ) of respondents believe staff are responsible for how laptops are used when they are taken out of the office. Only 21 per cent believe it is the responsibility of the IT department while six per cent said they don't know who is responsible.
And while employees must play a part, history has shown users cannot be the only line of defence especially while policy and education are still wanting. Around half the companies surveyed do not sign up staff to an internet and email usage policy.
Other measures which should be taken are also being overlooked or undertaken too lightly.
Murtagh said thorough PC audits need to be undertaken suggesting those who currently claim to do so may only be scratching the surface. While 40 per cent of respondents claim to audit PCs every three to six months, Murtagh believes this may amount to little more than 'head count' "how many have we got and what operating system are they running?".
"Companies need to seriously audit PCs and undertake full risk assessment. They need to understand how PCs are being used and what traffic they are generating," said Murtagh.
But it's unlikely change will happen quickly.
"I'd like to think if we did this survey again in six months I'd have some cause for optimism but there will still be a large number of companies who have failed to get a grip on their internet security," said Murtagh.
Comments
There are 3 comments. Join the discussion
1. anonymous
This is cobblers. It is impossible to achieve 100% security unless a company disconnects all ties with the internet, does not have e-mail, takes out all removable media devices, and goes back to using DOS.
You have to be confident you are as secure as you can be (including considerations of what your company is prepared to spend), and have (a)excellent contingency plans in place should the unknown strike, reducing the hit on downtime, and (b) excellent business continuity plans in place, so you can continue running your business as well as possible in the total absence of IT support.
This man is selling his consultancy, not advising the world. In any event, he's not doing either very well.
2. anonymous
CIO = Completely Ignorant Officer.
3. anonymous
There is unlikely to be an IT Tech, CTO, CIO, CISO, ISM, ISO et al who would suggest you can have 100% security; all will be attempting to achieve a level of security that provides a solution of some description (key phrase). The idea offered by Anon1 is good but then there is still the human factor to consider. Oh dear, what should we do? Remove all I.T. from the scene, rip the internet down, hide in cave and never come out. Guess what; someone from another cave will consider your cave to be better and attempt to get. I suppose the solution then would be to employ a security officer to keep the cave secure. Think we are in a loop. Common denominator...people, not technology.