Information Age: News, analysis & insight for IT & business leaders

As computing has worked its way into the fabric of the modern organisation, the threat from outsiders - as well as internal staff - has grown exponentially. Malevolent code is now threatening almost every facet of the organisation.

New threats arise constantly, with phishing, spyware and identity theft just the latest additions to an already long list of potential hazards that need to be assessed and addressed. That is reflected in a recent Information Age reader survey, conducted in conjunction with IT infrastructure availability specialist APC. The survey of 227 readers showed that organisations are being forced to spend ever larger amounts on protecting their infrastructures, and although they are doing so with greater appreciation of the issues at board level, their efforts are not universally successful.

Industry analysts put that rise in spending on security software alone in the range of 25% to 30% per annum, with an additional driver coming from the raft of new regulations such as the Sarbanes-Oxley Act in the US, the Freedom of Information Act in the UK and Basel II in Europe.

Recognition

While around three quarters of those canvassed said that their organisation has an information security policy, a worryingly large 17% admitted that they no formal approach in place. Of those with a policy, 62% said it was reviewed at board level at least once every year. However, 7% revisited the policy every month and a fifth said they conduct a review of policy every six months or less. However, an astonishing 10% never review their security policy.

Threats

Outside attacks on IT systems are identified as the biggest threats, with just over 75% of survey respondents pointing to viruses and hackers as their biggest concerns. Of the respondents who reported that their business had experienced a serious, unplanned outage to critical business systems over the past year (158 respondents), roughly 13% cited a virus or worm attack as the cause.

Other than these threats, though, the problems identified all appeared to be in-house, with 68% pointing to human error and 53% saying that internal theft or fraud was among the top three threats to their organisation's IT. Around the same number highlighted inherent technical problems with IT equipment as a major security headache.

Preparedness

Although the vast majority of respondents - 91% - said that security was either important or very important to their company, this commendable concern has not appeared to translate into action. Just over 30% said that they are under-prepared to handle a breach of their security, while almost 60% felt that they could only adequately deal with one. Encouragingly, only a handful of people (2%) admitted to being completely unprepared.

The main reasons given for a lack of preparedness centred around money, time or an overburden of regulations. Almost 20% said that it was a result of budget limitations, while a slightly higher figure (23%) pointed to time issues. Conversely, given the large percentage of companies who recognise that IT security is an important issue, when asked why they were not fully prepared, just over 32% said that they did not consider security a priority for investment.

Spend

While budget limitations may have some bearing on a company's ability to tackle a security breach, almost 70% of the survey's respondents said that their organisation had increased information security spending in the last 12 months. Taking the biggest slice of the cake was spending on security-related hardware and software, which soaked up the bulk of the security budget at 69% of companies. Investing on the development of specific policies and processes to manage threats only involved just over 10% of IT security spend. This last figure may go some way to answering the contradiction between the 91% of people who rate IT security as an important concern and the mere 8.5% who claim to be fully prepared.

When it comes to identifying what proportion of their organisation's IT budget is actually spent on security, a remarkable 26% of respondents fully admit that they "don't know", while over half said that their organisations spend less than 10% of the available cash in this area.

Conclusions

The survey highlights that while there is wider recognition that maintaining good security is a vital role, there is also a long way to go in matching those words with actions.

One of the reasons for this disparity may derive from a level of confusion over whose problem security actually is. Almost half (48%) of respondents said that they felt it was ultimately a business problem that needed to be addressed by business executives; while a third (33%) viewed it as a technical problem for IT to solve. Another 10% considered it to be more of a social issue that needs to be addressed by human resources staff through staff training and changes to employment contracts.

What is clear, though, is that the serious nature of the security threat makes it a problem all three of these groups must address.