Study: Businesses lagging in securing information

July 2, 2008
New security study says companies need to focus on protecting customer, employee data

Zero in on the information security risks facing your company, or you'll likely find yourself overwhelmed. That's the overall message of our 2008 InformationWeek Strategic Security Study, which polled nearly 1,100 IT and business professionals about plans and priorities for securing their companies' assets.

Getting the money for security isn't the biggest problem: Fully 95% will see their budgets either hold steady or increase this year. It's that the money isn't making data safer. Sixty-six percent of respondents say their vulnerability to breaches and malicious code attacks is either the same as last year or worse. Since when is "no worse than before" an acceptable return on investment?

The solution lies in securing to specific threats. The problem is that IT lags well behind other disciplines in adopting systematic risk management processes. But those technology professionals who have made the leap into classifying IT assets, assigning values, evaluating threats, then determining where and how to mitigate risk find the process to be extremely valuable.

In short, risk management principles bring rigor to information security.

Here's one illustration from our security study of how risk management can focus companies on the most important threats: Insecure coding practices are a pox on all our houses. Roughly half of respondents whose organizations have risk management plans in place specify security features at the time of application design. Of those without risk management plans, just 22% focus on code security.

We need the jolt that this security study provides. Twenty-one percent of companies never conduct security risk assessments, and of those that do, just one in five imposes the rigor of using a specialized external auditor. This despite 63% contending with government or industry regulations related to data security, many of which don't give adequate guidance on how to comply. Best practices are the best defense in such gray areas.

Companies also are behind in implementing encryption to protect customer and employee data. We had hoped that the ongoing parade of high-profile data losses would set most companies on the road to comprehensive privacy protection. So we were discouraged that the only actions to safeguard customer data that are used by more than half of companies are ... informing employees of standards and putting a privacy policy on the Web site. Fine steps, but they don't exclude the need for encryption (used by 34%) or privacy policy audits (25%). Amazingly, 11% say they have no privacy safeguards for customer data. Zip. Zero.

We could go on, and we will. But we need to stop for a second and ask, what gives?

WHAT DO WE GET FOR THE MONEY?

There's no blaming the financial powers that be. For nearly 30% of respondents, security accounts for at least 11% of the total IT budget. The bad news: Viruses, phishing attacks, and worms continue to cause headaches, and companies keep pouring money into firewalls and antivirus protection. Speculation that these product categories would fade away, or at least be assimilated into other technologies, is premature, as 13% say their vulnerability to breaches and malicious code is even worse than last year. And they're the only two product categories rated as effective by more than half of respondents.

The main culprit? Complexity, cited as the biggest security challenge by 62% of respondents. More data is ending up on the network. More agents are running on company computers, and employees expect some control over the PCs they use. As travel and energy costs skyrocket, companies are increasing the use of branch offices and teleworkers, a trend that spreads data far and wide as people expect to work securely from customer sites, home, or the coffee shop down the street.

Complexity also stems from juggling multiple compliance requirements, training and educating staff and users in security awareness, and coping with increasing technical sophistication of networks.

Most organizations-63%-must comply with one or more government or industry regulations, many of them vaguely worded and offering little guidance on translating requirements into technology. To meet compliance goals, Kevin Sanchez Cherry, information systems security office program manager with a U.S. government department, says he applies best practices, which he determines by consulting a variety of sources, including the National Institute of Standards and Technology, the SANS Institute, and colleagues facing similar challenges. By implementing best practices, he doesn't need to spend much time normalizing multiple compliance requirements.

There's never a shortage of attackers, or of vendors looking to sell us ways to repel them. Problem is, most products aimed at mitigating security problems address a relatively narrow set of threats, and there are many competing technologies to choose from. Countering an ever-widening range of threats across a broad spectrum of systems still requires a slew of these point products. Good for vendors, bad for IT.

And make no mistake, we're facing a burgeoning array of hazards, from external attackers to rogue employees to authorized users. While the faceless computer criminal is the scarier source, internal users are the bigger threat because they have trust, access, and knowledge. A few will have axes to grind, but the unwitting employee who's duped into forking over company secrets or allowing a breach to occur in an attempt to be helpful is much more likely. That's tough to combat even with rigorous processes and employee-awareness programs. Fully 35% say training to stop employees from sharing passwords is either somewhat or totally ineffective. Just 38% think they'll be successful at preventing employees from falling for social engineering exploits.

Sanchez Cherry suggests using real-world examples that are relevant to the intended audience, to make problems tangible. For example, a laptop containing private information was stolen in 2006 from the apartment of an employee of the Department of Veterans Affairs. This is a prime example of a well-meaning worker causing the loss of data. It's an opportunity for people like Sanchez Cherry to pound the lesson home.

RISK MANAGEMENT IS THE ANSWER

Compliance woes. Widening attack vectors. Gullible end users. What's an IT leader to do? The best way to focus information security efforts is, broadly, to stop thinking about vulnerabilities and start thinking about risks. No organization can plug every hole-there aren't enough resources and never will be. Even with an infinite budget, the threat landscape is ever changing.

Risk is, at its simplest, the chance that you'll suffer a loss because of a given activity. The risk management process uses people, processes, and products to reduce the likelihood that the unwanted event will occur, and if it should, to minimize losses. From an IT perspective, this is more than having a security policy in place-something nearly all but 54% of companies surveyed have managed to do by now.

IT needs to go against the grain and train itself to focus on the value of data and the likelihood it will be compromised, rather than on how a compromise might occur. The how is important to understand, of course, but once data is in the wind, there's no turning back.

The use of risk assessments is fairly widespread, with 79% of survey respondents conducting them, though not all companies then put the work to full use. Of those doing assessments, 76% use them to develop security policies, but just 41% use them to drive purchasing and planning.

Of course, it doesn't take an MBA to know that risk management is about more than just IT and data security. Businesses engage in risk analysis all the time when they roll out new products, manage marketing budgets, and make capital investments. IT teams need to tap into that knowledge and perspective at their own companies.

Electric Insurance spends about 20% to 25% of its project planning time on risk analysis and management, says Michael Hannigan, manager of systems engineering and support. Because the entire process, from planning to postproduction, includes risk analysis, Hannigan finds potential problems are identified and addressed early. Fixing a problem after the fact is many times more expensive than repairing it in the design stage. In Electric Insurance's case, risk management is already part of the culture-not surprising for a financial company. We should all be so proactive.

Much of the considerable up-front cost of a risk assessment will stem from doing asset and risk analysis; determining the value of projects, product lines, and services; and then assigning risk to each. But it's a process that pays off over time.

"You have to have a strategy," Hannigan says. "Big IT projects, like identity management and password management, are very expensive to implement, but where do you want to be in three or five years, and what's the easiest way to get there? You don't want multiple silos of security. You want to standardize and not deviate from those standards unless there are compelling, justifiable reasons to do so."

In a testament to the brisk security product industry, when we asked what measures are taken to mitigate risks, the No. 1 answer, cited by 72%, is throw technology at problems. There's nothing wrong with that-technical problems require technical solutions-but compare it with some of the more strategic possibilities: A mere 18% institute role-based access to sensitive data.

Given the effort and money needed for focused risk management, measuring the success of the ongoing process is critical. Sixty percent of survey respondents use internal audits to evaluate whether risk management efforts are paying off, and just under half use regulatory compliance as the measure. Neither of these steps is as effective as inviting expert penetration testers to do their worst, a fact not lost on financial services companies, of which 69% measure success with independent audits. Overall, the number's just 43%.

Who controls-and is accountable for-all these budget dollars? In 63% of companies, the IT budget funds risk management initiatives, and this holds true regardless of industry. More interesting, 69% of companies with risk management plans say that, long term, the process will save them money. Only 22% say the risk management effort will be an ongoing budget hit. This is a refreshing comeback against the doom and gloom of perpetual costs that often surround risk management.

While we didn't ask the source of cost savings, we can infer benefits from other questions. Risk assessments primarily are used to develop mitigation policies and fix vulnerabilities; that can yield process-oriented efficiencies, such as leveraging databases to simplify asset management and policy compliance. Similarly, understanding the source of vulnerabilities and fixing root causes extend efficiencies across a company. Regulatory compliance also generally benefits from risk management, whether it's improved infrastructure security and storage management or identity management and documenting processes.

Bottom line: The initial cost of a risk assessment will likely look high, but long-term efficiencies such as streamlining data management and documenting existing processes-not to mention actually improving data security-should make it worth the price.