External Factors Are Driving Executives Worldwide to Increase Information Security SpendingNew International Security Study by PricewaterhouseCoopers and CIO Magazine Shows United States Ahead of Other Countries in Raising Employee Awareness of Security Policies NEW YORK and FRAMINGHAM, Maine, Sept. 29, 2003 -- External factors -- such as regulations and industry practices rather than business risk assessment -- are the primary forces driving security initiatives according to a new worldwide study of 7500 senior IT executives. The State of Information Security 2003 study, conducted by PricewaterhouseCoopers and CIO magazine, is one of the largest global security surveys conducted this year. The survey, which represents companies in 47 countries and across all industries -- such as government, financial services/banking, manufacturing, education, telecom, healthcare -- shows 62% of companies have increased security spending in 2003 compared to only 50% in 2002. "Based on the results of the survey, we predict 2004 to be the year companies begin to look at security as a strategic enabler," says Joe Duffy, PricewaterhouseCoopers' partner and global leader of its Security and Privacy practice. "Survey results show 42% of companies surveyed will be looking at security from a more strategic perspective investing in measures that are more proactive, and enhancing network security and intrusion detection." The survey results also highlight the advances that the United States and North America have made in comparison to the rest of the world:
* Sixty-seven percent (67%) of U.S./North American respondents include
both business and IT executives in information security decisions
compared to respondents in South America (29%), Europe (52%) and Asia
(59%)
* More U.S and North America-based companies are using wireless
technologies (50%) than companies in South America (28%), Europe (29%)
and Asia (27%)
* The U.S. is also ahead in raising employee awareness of security
policies, procedures and technical standards with 71% reporting this as
a tactic used to address emerging threats vs. 62% in Asia, 60% in
Europe and 49% in South America
* Respondents in the U.S./North America are much more likely to report
security events to legal counsel (50%) than their counterparts in South
America (10%), Europe (27%) and Asia (16%). Likewise, U.S. companies
are less inclined to inform their business partners, vendors and
suppliers (25%) than those in South America (38%), Europe (37%) and
Asia (40%)
According to Scott Berinato, Senior Editor of CIO and CSO magazines, "Organizations around the globe are concerned with information security yet each region has a different approach to dealing with problems. Not surprisingly, Europeans are more focused on ensuring customer privacy while in North America, we are fixated on potential liability issues." Key Findings: Information Security Breaches/Incidents:
* Two-thirds (64%) of the survey respondents indicate their organization
has experienced negative security incidents in the past 12 months
* Of those who did experience hacks, attacks or breaches, the most common
types were malicious code (59%), unauthorized entry (40%) and denial of
service (36%)
* Most frequently, these security breaches resulted email and
applications being unavailable (53%), network downtime (49%) and
confidential records, including employee and customer records, being
compromised or lost (28%)
* Two-thirds (67%) of the executives surveyed say external forces are
most likely the source of hacks, attacks or breaches while 31% blamed
unauthorized internal users (31%)Adds Berinato, "Contrary to concerns about a so-called 'digital Pearl Harbor,' the majority of breaches that occurred last year were small scaled incidents that didn't last long and generally didn't cost much. Cyber-terrorism is a theoretical threat, but cyber-crime is a reality happening everyday." Information Security Incident Response and Reporting:
* Forty-one percent (41%) of respondents do not report incidents to
organizations or authorities
* Of the 59% that do report, the most frequents organizations contacted
are: legal counsel (19%), Computer Emergency Response Team (CERT) (17%)
and government authorities (National or local) (16%)
* Forty percent (40%) of the respondents do not know the financial losses
their organizations have experienced as a result of security breaches;
while 29% report no financial lossesInformation Security Influences:
* Security policy is most frequently set by the CIO/IT executive (47%),
followed by the CEOs (28%).
* Conversely, security spending levels are most often set by the CEO
(46%), followed by the CIO (41%) and CFO (35%)
* The majority (78%) of those surveyed say information security (infosec)
is included in the overall IT budget
* Less than 30% report IT and traditional physical security are
integrated in their organization"Companies are not defining their security problems correctly," says Duffy. "The problem is not with user identities, viruses or patches. The problem is how to support an 'always on' environment. It's about productivity, operational resilience, fault tolerance and the ability of customers to get what they want when they want it." Methodology The State of Information Security 2003, a worldwide study by CIO magazine and PricewaterhouseCoopers, was conducted online from April 15 through July 7, 2003. Readers of CIO magazine, CSO magazine and clients of PricewaterhouseCoopers from around the globe were invited via email to take the survey. The results shown in this report are based on the responses of 7,596 CEOs, CFOs, CIOs, CSOs, vice presidents and directors of IT and information security from 54 countries. The margin of error for this study is 1.1%. For more information, go to: WWW2.CIO.com/Research About PricewaterhouseCoopers PricewaterhouseCoopers (http://www.pwcglobal.com ) is the world's largest professional services organization. Drawing on the knowledge and skills of more than 125,000 people in 142 countries, PwC builds relationships by providing services based on integrity and quality. ("PricewaterhouseCoopers" refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entry.") About CIO Magazine CIO magazine (launched in 1987) is published by CXO Media, Inc. CXO Media serves CIOs, CEOs, CFOs, COOs and other corporate officers who use technology to thrive and prosper in this new era of business. In addition to publishing CIO, CXO Media produces http://www.cio.com, The CIO Insider, CSO magazine, CSOonline.com and darwinmagazine.com as well as Executive Programs, a series of conferences that provide educational and networking opportunities for corporate and government leaders. CXO Media, Inc. is a subsidiary of IDG (http://www.idg.com), the world's leading technology media, research and event company. IDG publishes more than 300 magazines and newspapers and offers online users the largest network of technology-specific sites around the world through IDG.net (http://www.idg.net), which comprises more than 300 targeted web sites in 70 countries. IDG is also a leading producer of 168 computer-related expositions worldwide, and provides IT market analysis through 51 offices in 43 countries worldwide. Company information is available at http://www.idg.com. SOURCE PricewaterhouseCoopers Web Site: http://www.pwcglobal.com http://www.idg.com http://www2.CIO.com/Research |