Fran Foo | July 01, 2008
MOST local organisations say they've done everything in their power to secure their IT systems, a study shows, but this attitude carries the risk of overconfidence - an ideal opening for hackers.
Fifty-nine per cent of respondents to an enterprise security survey conducted by Hydrasight say their systems are reasonably well-protected and their IT defences are rarely tested.
An additional 39 per cent are highly confident their systems can withstand all types of attacks.
The findings show organisations have reached a level of comfort with security, as most internal security projects have been completed.
"We hear from the security vendors that the end of the world is coming, but businesses just don't believe it," Hydrasight analyst Michael Warrilow says.
It's not surprising that organisations feel that way, as they have invested a lot to improve network security, he says.
However, he warns, companies could be digging their own grave by standing idle.
"Organisations might think they've solved the problem but the threats are increasing and they're going beyond technology to target people," he says.
"Complacency is the enemy in this situation."
The findings are a blow to security vendors, as they signal a reluctance by organisations to invest more in high-end security.
"It looks like organisations may have reached a plateau of risk investment," Warrilow says.
"They are unwilling to make those investments since there hasn't been a strong and compelling threatening event, or sustained attacks."
The main business driver for security, according to the report, is regulatory and legislative compliance, while protection against financial losses provides the lowest motivation to companies to beef up systems.
"It's really interesting to see what a strong role compliance plays these days," Warrilow says.
"Things like the Payment Card Industry Data Security Standard are really changing the the game."
Survey respondents from the retail and finance sectors nominate meeting the payment card standard's requirements as the most important security activity for 2008.
The standard was developed years ago by the PCI Security Council, comprising Visa, MasterCard, JCB, American Express and Discover Financial, to improve data security and protect customer information.
In Australia, retail merchants are scrambling to meet a December deadline to comply with the standard.
Failure to do so could result in fines of thousands of dollars and some organisations are already paying the price of non-compliance.
Meanwhile, the report also reveals that IT risk management is gaining momentum as a discipline and a topic of interest.
About 78 per cent of those surveyed self-assessed their organisation as having a high level of maturity in IT risk management.
Based on the survey, another focus of organisations is identity management, Warrilow says.
"Identity management remains an area where organisations have failed to mature."
The issue is hard to grapple with, as it involves myriad parties, from the human resources department to external suppliers.