Despite some recent embarrassments, such as the recent data thefts announced at ChoicePoint, security execs have something to be proud of. More resources are being spent to fight thieves and other cybercriminals targeting the enterprise. But a chronic problem remains: workers continue to fall prey to crooks working the phones, e-mail and Web sites for financial data. Users also continue to surf Web sites deemed unsafe by their security officers.
Enterprises are spending more money on security personnel, new hardware and training for end users, according to a recent survey conducted for the Information Security Systems Association and the Business Software Alliance. Penn, Schoen and Berland Associates conducted 850 interviews of ISSA members in December and January on behalf of the BSA.
But these efforts continue to be trumped by non-compliant employees. That has BSA and ISSA talking tough about employees who fail to comply with corporate security policies. They called for strong sanctions against violators of security policies, and aggressive civil and criminal action against perpetrators of fraud and identity theft both within and outside the enterprise.
An analyst also encouraged enterprises to tighten their access and authentication control systems, something companies such as ChoicePoint may have not felt compelled to do in the past. Indeed, financial companies trade in personal credit histories and other information about individuals; making those readily accessible is a key to their success.
Some of the tighter controls seem like no-brainers, but they are often overlooked. "A car leasing company, for example, could start by not having one password for accessing [their credit check] system, which everyone knows," said Gartner analyst Avivah Litan.
The aggressive security measures advocated by some information security officers [ISOs] represents a shift from the way companies often treat their employees.
"The tide has turned," said Anne Rogers, director of information safeguards at Waste Management, Inc., a Houston, Tex.-based company with about 22,000 computer users. Rogers is also ISSA's vice president of marketing. "HR folks used to say [to IT and security personnel], 'Don't be so aggressive and in-your-face.'"
But now employees are seen having a more active role in security programs, said Rogers. After all, she said, "These are the people who use the technology every day."
Both the ISSA and BSA said they were heartened by the survey's results, which showed dramatic increases in security in large enterprises between 2003 and 2004. "The improvements [over the past year], in the number of companies with written security policies, are among the survey's most compelling findings," said BSA president and CEO Robert Holleyman.
Seventy-eight percent of the ISSA members surveyed reported having formal information security programs in place. And 42% reported creating employee transfer checklists, an 8% increase over the previous year. More than half [51%] of those surveyed had published employee security handbooks, up from 43% in 2003. And 48% of the ISO's surveyed said they had a sanction policy for noncompliance, up 9%.
But because ISOs still ranked education and noncompliance near the top of their list of security challenges, more drastic measures may be needed. Waste Management's Rogers said employees should face discipline for violating their company's security policies. "You have to have a sanctions policy like you have a harassment policy, which states [norms for] expected behavior," said Rogers. "But then you've got to enforce it."