Chief security officers expressed a higher degree of confidence in US business and government’s information security compared to six months ago, signalling that collaboration and information sharing between public and private sectors and among corporations is beginning to pay off. Increasingly, organisations are reporting cyber crime, mostly to deter online attackers. CSOs report that the biggest threat to organisations continues to be internal employees, and education — of executive staff and down — is critical to securing information assets.
Institutions are better prepared today than 15 months ago The majority (67%) of security professionals included in the survey agreed that the federal government was more prepared to respond and recover from a cyber attack today compared to September 11, 2001, up from half (52%) of those surveyed in July of this year. Likewise, 66% agreed that their own organisation was better prepared compared to 50% of those surveyed six months ago.
CSOs sharing information More than half (52%) of CSOs in our survey report cyber crime. Deterring others from committing cyber crime was the number one reason for reporting crimes for 39% of the respondents. Twenty-one per cent answered prosecution of individuals was their motive for reporting.
Close to half (45%) of executives in our survey have supplied data on customers, employees or business partners to government or law enforcement agencies. Additionally, 41% of CSOs said their organisation would supply this information for an investigation relating to national security and 43% said they would provide information only under a court order.
Employees are the key to effective security When asked who posed the greatest threat to their company’s technology infrastructure, CSOs answered current employees (56%) most frequently, followed by external persons not employed by their organisation (30%). Survey respondents further reported that electronic attacks (52%), such as unauthorised access or a virus, were the biggest concern for their organisation in regards to security.
IT and security personnel are more security-conscious than executives and non-IT employees, according to the 797 security professionals surveyed. When asked to rate employees’ levels of compliance with the organisation’s security policies, security personnel (80%) and IT personnel (62%) were most compliant while management (37%) and all other employees (62%) were less compliant.
CSO Research Prediction
I like this, stepping out of the numbers to give our authoritative view. Training and educating employees about security policies and procedures will be a top priority for CSOs in 2003. All employees, from chief officers to service representatives, play an important role in the organisation’s security and need to understand and adhere to the company’s policies on issues including portable devices, password behavior and remote access. This message must be loud, clear and straight from the top — the CEO.
CSO magazine’s Security Sensor survey was administered online from November 25 through December 9, 2002. Subscribers to CSO magazine were invited to take the survey. The results shown here are based on the responses of 797 security professionals (not all respondents answered all questions), representing a response rate of 9%. The margin of error for this study is +/- 3.5%.
When asked about title, 34% were senior-level including CIOs, CTOs, CSO/CISO and vice presidents. Forty-five per cent of respondents were directors or managers. Seven per cent held government titles and 13% listed “other.”
In terms of company size, approximately 39% of the survey respondents worked at companies with annual revenue of $US1 billion or greater. Twenty-two per cent were from companies with annual revenue between $US100 million and $US999.9 million, and 34% listed revenue at less than $US100 million. (Six per cent did not answer.)
Respondents represented a wide range of industries including local, state or federal government (19%), insurance/healthcare (15%), computer-related industries (13%), finance/banking (10%), manufacturing (8%) and education (7%).