In a successful information security program, all three pillars – people, process, and technology must be strong. Senior management lip-service to the importance of security, and the protection of the customer information they are entrusted to secure, no longer suffice. The continuous spate of data breaches clearly shows that simply investing in conventional defenses such as anti-virus programs, content filtering, firewalls, identity-management, and intrusion detection and prevention systems aren’t enough. Not enough attention is being placed on the other two pillars of security: people (security training and awareness), and process and procedure (security policy), and no amount of investment in security technologies will make up the difference in the equation.
According to Ernst & Young’s 2004 Global Information Security Survey, less than half their respondents provide regular IT security training to their employees. Only one-fifth of respondents believe their enterprises view IT security as a CEO-level priority. The 2004 Computer Security Institute/FBI Computer Crime and Security Survey, which queried nearly 500 organizations with arguably the most sophisticated IT security programs, revealed that, on average, all the respondents believed their organizations invested inadequately in security awareness programs. And these organizations invest heavily in many conventional security defenses: anti-virus programs (99 percent), firewalls (98 percent), server-based access control lists (71 percent), and IDS systems (68 percent). One of the most startling statistics from the survey is that even these companies fail to invest in encryption solutions, with only 64 percent encrypting data in transit, and 42 percent using encryption to protect stored files. This raises concerns about just how seriously companies take the task of protecting their own information and the information of their customers’.
Information Security Best Practices
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.