2004 Global Information Security Survey Results
jotok writes "CIO.com has released the results of its 2004 Global Information Security Survey, based on the responses of over 8,000 people in 62 countries, highlighting the Six Secrets of Highly Secure Organizations. The report indicates that security awareness and implementation are gradually improving, but also that information security is still not recieving the attention it requires--especially from management and IT personnel."
Parent has a good point. Every company I've worked in has people who think, "It's not my problem." Management should be concerned about security protecting their business. IT personnel should be concerned about security because it keeps them in a job and makes life easier.
We have so many cliches and maxims about this very concept, but they fall on deaf ears:
Nobody seems to care about doing things the right way until they screw up because they were done poorly. Ounce of prevention and all that..
My group deploys custom solutions to customers all over the US, and we're regularly amazed at the customers variances in security. At one extreme are gov't facilities you would expect to be tight, and they're loose. On the other are mundane organizations where things are very tight. Amazingly, some of the private sector companies are the tightest.
The article made a recommendation for a Security Czar (my term) to be in charge of physical security as well as info security. In my experience, physical and data security mirror each other within a given facility. Those who are sensitive to the exposure of their data are typically those with the tightest security measures for employees.
However, in an odd twist, very few companies consider the physical security of the data servers. In other words, they worry about firewalls, proxy servers, and up-to-date AV protection, but leave the servers in a location that's physically accessible to people WITHIN their organization that shouldn't have access to it.
Very, very rarely does someone manage this right. One of the few exceptions was a VA hospital. Not the tightest security, but it was consistently applied in the physical access to the servers, the access to the building in general, and the measures taken for electronic protection and isolation of critical systems.
Tim
Company XYZ somewhere, reading list: "CRAP! That's the same combination we use for root!"
That would be an improvement over reality: One facility run by a subcontractor has a database that processes 50K checks/day and generates checks in excess of $1 million/day.
Last time I checked, the database had no password on the administrator account.
Nobody was interested in changing this "because we are behind a firewall" and "there's no reason why anyone would look for us or could find us".
Thus, my sig;
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.