WASHINGTON, Sept. 9, 2002 - A new survey of information security specialists at organizations around the world finds that - despite a high level of awareness of the risk of computer attacks even before the events of last September 11th - almost one-third of the companies surveyed say they may still not be adequately equipped to deal with an attack on their computer networks by cyberterrorists.
Conducted jointly by the Internet Security Alliance (ISAlliance), the National Association of Manufacturers (NAM) and RedSiren Technologies Inc., the survey asked respondents to compare their companies' attitudes regarding information security issues, both today and prior to last year's terrorist attacks on the World Trade Center and the Pentagon. The survey found that:
· 30 percent of respondents said their firms do not have adequate plans for dealing with information security and cyberterrorism issues, down from 39 percent last year;
· 33 percent said information security is not a visible priority at the executive or board level of their organizations;
· 39 percent said information security plans are not regularly communicated to or reviewed by top corporate executives; yet
· 88 percent said their companies now recognize information security as an issue essential to the survivability of their business, up from 82 percent prior to the attacks.
The survey was conducted from Aug. 12-23, targeting corporate information security specialists around the world. More than 225 responses were recorded from throughout North America, Europe, the Middle East and Pacific Rim regions. "Based on these results, our challenge is to educate companies about the need for taking added preventative steps now, as well as the hard-nosed reality that this situation will not change. Enterprises of all sizes have to remain active and vigilant on an ongoing basis if they are going to protect against cyberattacks on their systems," said Doug Goodall, RedSiren's president and chief executive officer.
"Information security needs to be a top priority for any successful business, from the executive level to the IT manager," said Dave McCurdy, ISAlliance's executive director. "Businesses rely more on the Internet and e-commerce than ever before and confronting new and emerging cyber-threats without sound IT security practices is not sound corporate management." The ISAlliance is the publisher of "Common Sense Guide for Senior Managers: Top Ten Recommended Information Security Practices."
Forty-eight percent of respondents said that the September 2001 attacks had made them "more concerned" about cyberterrorism and its impact on their organizations; 49 percent reported no change in attitude at all. "This seems to indicate a bit of a disconnect between the perception of the general threat of cyberterrorism and specific concern about one's own organization," said Tom Orlowski, vice president, Information Systems, at NAM. "It may reflect a mentality that 'it'll never happen to me.' In today's world, that may be a dangerous complacency."
Almost half of the respondents (47 percent) said their companies have increased spending on information security since last year, and 38 percent said that trend would continue in 2003. New or improved information security measures implemented in the past year ranged from cyber insurance policies (31 percent report obtaining them for the first time), to incident response plans (60 percent implemented new or upgraded strategies).