Article

Deloitte survey finds overconfidence, lack of planning on security

Robert Westervelt, News Editor

IT security pros working in the technology, telecommunications, media and entertainment industries say they're confident they can handle external security threats, but nearly half lack a formal security strategy, according to a new survey.

    Requires Free Membership to View

If we want people to change their behavior and be sensitive to improper behavior around them, we have to focus on training.
Rena Mears,
U.S. privacy and data protection leaderDeloitte

The Deloitte survey of more than 100 organizations found that security pros within these industries may be overconfident when it comes to their security footing, said Rena Mears, Deloitte's global and U.S. privacy and data protection leader, who helped conduct the survey.

"Technology and media companies tend to be on the cutting edge when it comes to implementing different kinds of technologies and integrating them in a business model," Mears said. "But when you're talking about security you're talking about very often limiting access and sometimes restricting creativity and that goes against the grain of an open and creative culture."

Most organizations need to begin by understanding the data they are trying to protect. Security should be introduced as a value proposition so employees understand the value of protecting intellectual property, Mears said.

The survey found that 46% of companies surveyed failed to have a formal security strategy in place. Still, 69% said they are "very confident" or "extremely confident" about their organization's effectiveness at tackling external security challenges.

"Most security people, in the last few years, are trying to catch up with what has already occurred," Mears said. "Like most industries, technology companies are in a reactive mode and the security and privacy professionals involved want to move to a proactive stance and it's very difficult to do."

Insider threat:
What are the proper procedures for handling a potential insider threat? In this SearchSecuity.com Q&A, Mike Rothman discusses how corporations can avoid insider threats by forming an incident response plan and monitoring employee behavior.

DuPont case highlights insider threat: A former DuPont scientist who admitted trying to steal $400 million worth of information illustrates the seriousness of insider threats, a security expert says.

Societe Generale: A cautionary tale of insider threats: The $7.2 billion in fraud against French banking giant Societe Generale wasn't your garden variety cyber attack, but it illustrates an insider threat that gives IT pros nightmares.

One major stumbling block for many firms is defining and understanding intellectual property. Understanding the organization's personal information is easy since it can be found as a series of data objects in company systems. Intellectual property can take many forms, from a list, a series of activities to a bucket of bits, Mears said. As a result, just 7% of companies surveyed said they believe they are prepared for future security threats.

Senior executives could be seeing security as an IT issue, Mears said. The survey found that other strategic goals may be trumping information security at the board and executive level. Only 62% of respondents believe that security is a key imperative at the board or executive level.

That thinking at the executive level is starting to change, beginning with Sarbanes Oxley in addition to new breach notification laws, and the Payment Card Industry Data Security Standards. Also rising in concern is the area of insider threats, with only 56% showing confidence in addressing employee misconduct, whether it be deliberate—a rogue employee or accidental—such as an employee error.

"There's increasing concern around the fact that authorized people can either make errors which result in a breach or you could have insiders that are actually using their credentials in order to do something inappropriate," Mears said.

The problems posed by insider threats was highlighted recently when a rogue trader allegedly carried out $7.2 billion in fraud against French banking giant Societe Generale. The trader was a trusted insider who knew the inner workings of the company network.

"Training needs to be the answer here," Mears said. "If we want people to change their behavior and be sensitive to improper behavior around them, we have to focus on training. It's the biggest bang for the buck and the area where we see the least investment at the moment."


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: