http://www.computerworld.com/home/features.nsf/CWFlashWeekly/980921mgt Lotsa Talk, Little Walk There's no shortage of statements supporting information security, but a CW/Ernst & Young survey finds little action to back up the words. By Gary H. Anthes And the gap between words and actions seems to be widening as scarce information technology funds get sucked into the black hole of year 2000 repairs. Those are some of the conclusions from the Ernst & Young/Computerworld Global Information Security Survey of 4,255 IT and information security managers. This is the sixth year Ernst & Young has conducted the survey. Of those surveyed, 84% said their senior management believes that information security is "important" or "extremely important." But the following results indicate that that concern isn't translating into action: * Forty-one percent said they don't have formal security policies. * Three-quarters said they have no incident response plans. * More than half said they lack disaster recovery plans. * More than a third said they don't monitor their networks for suspicious activity. * Fewer than one in five use encryption technology to safeguard sensitive information. The survey also spotlights a basic misunderstanding of information security dangers. Asked to identify threats, respondents were almost twice as likely to cite hackers as employees, but studies have shown that the overwhelming majority of security breaches come from inside the company. Thirty-two percent of the managers surveyed said security is the biggest barrier to electronic commerce. (Inadequate technology was cited by 26%, and unfavorable economics was mentioned by 25%.) But there were encouraging signs that the security barrier is beginning to yield: The survey showed a sharp reduction in just a year in the number of complaints about the adequacy of security products. "Over the past two years, security awareness has definitely increased," says John Darbyshire, a partner at Ernst & Young LLP and head of the firm's security practice. "But many people are still not acting on it, and senior management isn't putting its checkbook where it needs to be just yet."