IT security incidents up by a quarter on last year

12 Dec 2005

Security-related events have risen by 22.4pc on last year and more organisations are losing money as a result, according to a new survey that claims to be the largest of its type in the world.

The State of Information Security 2005 report, conducted by IDG’s CIO magazine and PricewaterhouseCoopers, polled more than 8,200 IT security executives in 63 countries. Compared with last year’s figures, it found that the average number of security-related events reported is up 22.4pc from last year to this. The number of organisations reporting financial losses from these events is 22pc, an increase from 7pc in 2004.

Hackers remain the most likely source of events, responsible for 63pc of attacks. Next were employees, which accounted for one third of security incidents. In keeping with trends reported elsewhere, malicious code is on the rise – in this case, it was responsible for 59pc of attacks, up from 53pc last year.

The net result of the current situation is that security spending is up. This year it accounts for 13pc of organisations’ average IT budgets, up from 11pc last year.

In addition, many organisations consider security so important that they employ someone whose remit specifically addresses this area: 40pc of this year’s respondents said their companies have a chief information security officer or chief security officer on the payroll, up from 31pc in 2004.

These organisations are more prepared for security from a strategic point of view, as 62pc of such firms have a security plan in place. However, the overall figure is much lower with only 37pc of respondents saying they have such a document. Only 24pc said they expect to develop one in 2006.

Despite all the talk of regulatory compliance, 38pc of those affected by the Sarbanes-Oxley Act, 2002 said they are not currently keeping up with this legislation, although they are required to do so.

Respondents also identified several top strategic priorities for the coming year. In descending order, these are: disaster recovery and business continuity; employee awareness programs; data backup; enterprise information security strategy; enhanced network firewalls; a centralised information security management system; periodic security audits; employee monitoring; monitoring security reports such as log files or vulnerability reports; and protecting intellectual property.

By Gordon Smith