Tech and media firms see rise in IT attacks

10 Jul 2006

Technology, media and telecoms companies whose business revolves around digital information are reporting greater levels of data security breaches, a survey has found.

Around half the attacks are internal in terms of fraud and human error, with memory sticks posing an increasing threat.

The global survey by business advisory firm Deloitte found that more than 50pc of companies surveyed reported security breaches in the past 12 months, with a third of these breaches resulting in severe financial losses.

More than half the breaches came from within the businesses affected.

Deloitte argues that the reliance of the technology, media and telecoms sector on digital information has made it increasingly vulnerable to attacks.

Gerry Fitzpatrick, a partner in Deloitte’s Enterprise Risk Services Group, explained: “Technology, media and telecoms companies are becoming more aware of the impact of technical security attacks because their businesses revolve increasingly around digital information and technology.

“Everything from voice telephony to prime-time television is now created and transmitted as a series of zeros and ones — making it vulnerable to infection, attack and theft. Protecting the confidentiality and integrity of data, as well as ensuring it is available when required, is now an important aspect of effective operational management.”

Deloitte found that most technology, media and telecoms companies are not investing enough time, money and resources to protect themselves.

Despite the threat of financial loss, intangible factors such as brand damage, customer dissatisfaction, market erosion and lost productivity tend to be overlooked.

“Irish technology, media and telecoms firms must recognise that they represent an increasingly attractive target,” said Colm McDonnell, a director of Deloitte’s Enterprise Risk Services Group.

“Media companies’ content is, in essence, fuelling a global market of illegal downloads and counterfeit goods; telecommunications operators increasingly represent the gateway into the digital home and office. These threats are becoming more and more prominent in the Irish marketplace and this report acts as a timely reminder to Irish firms that this is an issue that needs to be addressed straight away,” McDonnell added.

Curiously, while external security threats such as viruses and worms get most of the attention, as well as the lion’s share of IT resources, internal risks such as fraud, employee misconduct and human error are just as great, says Deloitte.

Among those companies whose security had been breached in the past 12 months, 50pc were attacked from within. Deloitte says this is not surprising given that portable media devices, such as memory cards, can now hold huge amounts of confidential data.

It might also explain why many technology, media and telecoms companies are not very confident in the security of their internal IT infrastructure, with 83pc concerned about employee misconduct involving information systems.

Most technology, media and telecoms companies limit their security policy to the basics such as firewalls, anti-virus applications, spam-filtering and virtual private networks. However, more advanced threats like phishing are not being adequately addressed. Only 18pc of technology, media and telecoms firms have currently implemented anti-phishing technologies, the survey found.

Deloitte warned that businesses such as digital television and radio, online music sales and VoIP (voice over internet protocol) telephony systems can be completely shut down by security attacks.

The same holds true for web advertising and digital media distribution. In these businesses, service disruption translates directly into loss of customers and revenue.

Deloitte recommended that technology, media and telecoms companies implement an enterprise-wide programme to manage business continuity in the event of a breach or a disaster.

McDonnell added: “The increasing vulnerability of the technology, media and telecoms sector to attack means that security is no longer a minor operating detail best left to the IT department. The industry needs to address security as a fundamental business requirement — and a strategic imperative.”

By John Kennedy