[ISN] Study: Most Technology Companies Have Data Losses

[InfoSec News]

http://www.eweek.com/article2/0,1895,1979924,00.asp

By Matt Hines 
June 21, 2006 

Over half of all companies doing business in the technology, media and
telecommunications sectors have experienced data breaches that
potentially exposed their intellectual property or customer
information, a new research report shows.

According to the report, published by Deloitte Touche Tohmatsu, not
only have many technology providers been hit with the same sorts of
data losses that have recently plagued other industries, but a large
number of the firms have also failed to make sufficient investments in
security technologies aimed at preventing future incidents.

Deloitte researchers said that security has long been "neglected" by
technology, media and telecommunications companies despite their
dependence on digital information to run their businesses.

The consulting company surveyed executives at 150 such companies and
found that even in the face of public embarrassment, financial losses
and potential litigation linked to data breaches, many of the
businesses have yet to make necessary investments to more adequately
protect their information.

According to the report, more than 50 percent of the companies
surveyed admitted to having a data loss within the last 12 months,
with roughly one-third of those incidents directly resulting in
financial losses.

Half of the companies reporting data breaches said the incidents
involved internal attacks or policy violations.

Of the firms surveyed, only 4 percent said their employers are doing
enough to address the issue, and just 20 percent of respondents said
that they feel confident that their companies' intellectual property
is being sufficiently safeguarded.

Some 24 percent of interviewees said that the security tools they have
installed are being used effectively.

While phishing schemes continue to pose a major threat to companies'
customer information and brand reputations, only 18 percent of those
executives surveyed said that their firms have employed technologies
aimed at preventing the attacks.

Deloitte said that 37 percent of the companies it interviewed have
provided additional security training to their employees within the
last 12 months.

At the heart of the issue, the report said, is companies' reluctance
to increase their spending on new security measures.

While 74 percent of survey respondents said that they expect to spend
more time and money on improving security in 2006, the average budget
increase among those companies was only 9 percent.

Fewer than 15 percent of those increasing their security budgets
planned to do so by over 20 percent, Deloitte said.

Despite the sobering statistics, Deloitte researchers said that
technology, media and telecommunications companies are beginning to
make changes to improve their IT defenses and security policies.

Regulations such as the U.S. government's Sarbanes-Oxley Act have help
pave the way for those improvements, said Brian Geffert, principal of
security and privacy services at Deloitte.

"Sarbanes got people to understand security a bit more, and now more
people are catching up; more CEOs are communicating directly with
chief information security officers, and I think we will see a lot
more investment from these particular companies," said Geffert.

"To a degree people are in the stage where they are still making
plans, and not yet fully engaged in moving forward, but there's
progress."

Only 63 percent of respondents to the survey said they have a
senior-level executive in their company dedicated to managing security
issues, with 53 percent of information technology companies employing
those types of leaders.

Deloitte noted that those numbers were lower than the proportion of
companies in other industries with C-level security executives already
in place.

Further, the survey found that 52 percent of technology, media and
telecommunications companies consider security a problem for IT
departments, rather than viewing the issue as a central business
concern.

The top five information security concerns identified by the
executives polled were those related to instant messaging systems,
phishing schemes, viruses that attack mobile devices, hacks into
online brokerage accounts and other Web-based crimes.

So-called insider attacks, or threats emanating from employees or
other people with legitimate access to IT systems, are another major
concern.

However, only 59 percent of the companies interviewed said that they
have any form of employee behavior monitoring technology in place.

While 25 percent of respondents listed cited insider fraud as their
primary internal security concern, 22 percent pointed to data losses
such as the incidents that have recently victimized the U.S.  
Department of Veterans Affairs and insurance giant American
International Group as their greatest fear.

"These data leaks are starting to make people think differently about
the manner in which they handle data, and you also have the emergence
of small storage devices capable of carrying off a boatload of data,
those things have opened people's eyes," Geffert said.

"At the end of the day, it's all about getting people to look at their
work habits differently and letting workers know what their
responsibilities are for protecting the data; technology companies are
a bit behind other industries today, but there's no reason that they
cannot catch up."