Lotsa Talk, Little Walk

There's no shortage of statements supporting information security, but a
CW/Ernst & Young survey finds little action to back up the words. 

By Gary H. Anthes

And the gap between words and actions seems to be widening as scarce
information technology funds get sucked into the black hole of year 2000

Those are some of the conclusions from the Ernst & Young/Computerworld
Global Information Security Survey of 4,255 IT and information security
managers. This is the sixth year Ernst & Young has conducted the survey. 

Of those surveyed, 84% said their senior management believes that
information security is "important" or "extremely important." But the
following results indicate that that concern isn't translating into

   * Forty-one percent said they don't have   
     formal security policies.                
   * Three-quarters said they have no
     incident response plans.                 
   * More than half said they lack disaster   
     recovery plans.                          
   * More than a third said they don't        
     monitor their networks for suspicious    
   * Fewer than one in five use encryption    
     technology to safeguard sensitive        
The survey also spotlights a basic misunderstanding of information
security dangers. Asked to identify threats, respondents were almost twice
as likely to cite hackers as employees, but studies have shown that the
overwhelming majority of security breaches come from inside the company. 

Thirty-two percent of the managers surveyed said security is the biggest
barrier to electronic commerce. (Inadequate technology was cited by 26%,
and unfavorable economics was mentioned by 25%.) But there were
encouraging signs that the security barrier is beginning to yield: The
survey showed a sharp reduction in just a year in the number of complaints
about the adequacy of security products. 

"Over the past two years, security awareness has definitely increased,"
says John Darbyshire, a partner at Ernst & Young LLP and head of the
firm's security practice. "But many people are still not acting on it, and
senior management isn't putting its checkbook where it needs to be just