To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/security/0,39024655,39128682,00.htm

IT managers adopt 'stay clueless, stay safe' strategy
If we don't know these problems exist we can't know we aren't protected from them...

By Will Sturgeon

Published: Tuesday 15 March 2005

European IT chiefs have revealed a shocking awareness of security threats – apparently favouring an 'ignorance is bliss' mentality which leaves them all highly confident about the state of their crumbling security.

Latest research reveals the majority of IT bosses are confident about their companies' security yet when drilling down through the findings we find a picture of disarray as companies lose track of laptops, remote access, the latest threats and the risk of employee wrong-doing.

According to findings released today, 99 per cent of respondents said they are protected from threats while only three per cent of European IT bosses don't believe they will ever be 100 per cent secure.

Furthermore not a single UK recipient doubts they will attain 100 per cent secure status. Such findings seem more indicative of the fact they don't realise what the threats are rather than being evidence of them being on top of their risk.

Mark Murtagh, European technical director at Websense, which commissioned the research, said it paints a worrying picture for companies.

"Perhaps the thing which causes the most concern is this is what they are reporting back to their board," he said. "We obviously still need a real wake-up call."

Eight per cent of companies have no additional security in place beyond desktop antivirus and a firewall and many are being slow to react to the latest threats.

Despite it being an issue which has hit the headlines in a big way over the past 12 months spyware is still getting an easy ride, with 35 per cent of companies having no protection of any kind in place.

And the ways in which spyware can get onto a machine continue to thrive with 56 per cent of firms letting staff install and use peer-to-peer software – a common source of malicious code – and 43 per cent of firms doing nothing to limit employee web-surfing. Furthermore 62 per cent of companies are doing nothing to limit staff access to phishing sites.

And if staff decide to turn on their company and steal data or access areas of the network they shouldn't, very few firms (40 per cent) are equipped to identify them.

And when it comes to staff out and about on the move there appear to be huge holes through corporate security. More than two-thirds of UK IT bosses (68 per cent) think laptops, which are taken home or used remotely and then plugged back into the network, pose a security risk and yet only a quarter (26 per cent) are really doing anything about it. Almost the same amount (22 per cent) believe staff installing peer-to-peer software, games or freeware for use at home poses no threat to the enterprise when that laptop come back within the security perimeter.

"Too many companies are leaving these matters in the hands of their employees," said Murtagh. "But you cannot rely upon the individual to take the necessary measures to protect their laptops and consequently the network."

More than two-thirds (69 per cent ) of respondents believe staff are responsible for how laptops are used when they are taken out of the office. Only 21 per cent believe it is the responsibility of the IT department while six per cent said they don't know who is responsible.

And while employees must play a part, history has shown users cannot be the only line of defence – especially while policy and education are still wanting. Around half the companies surveyed do not sign up staff to an internet and email usage policy.

Other measures which should be taken are also being overlooked or undertaken too lightly.

Murtagh said thorough PC audits need to be undertaken – suggesting those who currently claim to do so may only be scratching the surface. While 40 per cent of respondents claim to audit PCs every three to six months, Murtagh believes this may amount to little more than 'head count' – "how many have we got and what operating system are they running?".

"Companies need to seriously audit PCs and undertake full risk assessment. They need to understand how PCs are being used and what traffic they are generating," said Murtagh.

But it's unlikely change will happen quickly.

"I'd like to think if we did this survey again in six months I'd have some cause for optimism but there will still be a large number of companies who have failed to get a grip on their internet security," said Murtagh.