Report: Business fails on global security

Published: 15 Nov 2001 07:30 GMT

Multinational corporations are still far off from securing their networks and seem to be focusing on the wrong threats, according to a report expected from Big Five accounting firm KPMG this week.

For the risk assessment report, KPMG interviewed 500 executives in August and discovered that although 85 percent felt they gave enough attention to protecting their information, nearly four out of 10 thought their company could suffer a serious breach of security.

The majority believes that the fix is to buy the right technology, but that's plain wrong, Stuart Campbell, partner for KPMG's Risk and Advisory Services practice, said in a statement.

"Until more executives regard information security as a strategic business issue, organisations will remain vulnerable," he said. "This issue doesn't begin and end with technology solutions and technology departments."

Rather than buy new software and systems, companies should be looking toward education, training and policy initiatives. Almost 90 percent of the executives said they had an ongoing program of such training, but only 11 percent said that nonmanagement employees were informed about security policy.

"Companies need to move aggressively in educating and informing employees," said Campbell. "A security environment aimed primarily at preventing outside intrusions is destined for failure."

Making the problem worse, companies seem to be focusing on the wrong risks. The report found that a third of executives considered hackers attacking from the Internet to be the greatest threat, but the reality, it said, is that almost 80 percent of attacks originate from inside a company's network.

Another study may complicate that finding, however.

Last March, the 2001 Computer Crime and Security Survey found that although attacks by online vandals didn't account for major dollar losses, the Internet has become a major source of attacks for most organisations. Companies that found themselves the victim of attacks via the Internet increased to 70 percent in 2001, but the number of companies experiencing insider attacks fell to 31 percent.

Still, some results of the KPMG study indicated that companies were improving information security.

Nearly eight out of 10 multinational corporations had developed a catastrophic response plan, and almost six out of 10 had hired full-time security specialists.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.