A new study released from CA says security breaches aren't just happening to the other guy. The most significant finding of the study -- which was primarily focused on network security concerns and which surveyed large corporate enterprises -- was that 84 percent of North American enterprises suffered a security breach in the last year. The findings indicated a 17 percent increase in breaches since 2003.
The CA study reported that the breaches causes decreases in workforce productivity (a complaint from 54 percent of respondents), while some 25 percent of respondents said "public embarrassment, loss of trust/confidence and damage to reputation" was an after-effect of a security breach. Twenty percent of the respondents also indicated that the breach did involve a loss of revenues, assets or customers.
The study also noted that 38 percent of breaches came from within the company itself, a fact which closely parallels today's news of an FBI-led investigation of a Coca-Cola Company employee who allegedly attempted to sell classified documents as well as under-development product samples.
Also disparaging in the survey was data which indicated that 40 percent of the survey's respondents didn't believe that IT security and risk management was being taken seriously at all levels, and another 37 percent who rated their company's security spending level as "too low."
But for all the bad news of the CA study, there are indications that organizations are changing their ways. Some 88 percent were documenting their organization's security policies; 83 percent were working to educate their employees on security policies, and even 63 percent of the respondents said that a chief information security officer (CISO) position was being created.
The results of the study also noted that identity and access management (IAM) solutions are being adopted to control risks and help eliminate breaches. Roughly three-quarters of the survey's respondents said they had implemented IAM solutions and were continuing to invest in and spread that functionality through the company; another 18 percent had an IAM investment planned for roll-out in the coming 12 to 18 months.
Still, despite the IAM investments and employee security education, it's clear that network security breaches aren't on their way to extinction and that current security policies may not be working.
From recent cases of ING's loss of data on D.C. employees, to a VA laptop that went missing with millions of veteran's personal info, the information security breach at an enterprise organization has become the crime du jour. Yet the notoriety of these crimes is not solely ascribable to the number of people affected; rather the notoriety stems from the fact that the breaches are occurring at companies and agencies which most would expect to have strong security policies.
Toby Weiss, who is the general manager of CA's security management division, said the results should be a wake-up call for many U.S. enterprises.
"These survey results demonstrate that even though organizations are investing in security technologies, they still aren't achieving the results they seek," said Weiss in a statement released with the results. "Clearly, more work needs to be done in terms of both improved security management itself and better education of business users about the importance of IT security best practices."