[ISN] CSO survey: Companies lack plans in case of terrorist attacks
InfoSec News
isn at c4i.org
Thu Jun 10 05:45:43 EDT 2004
http://www.computerworld.com/securitytopics/security/story/0,10801,93741,00.html
By Paul Roberts
JUNE 09, 2004
IDG NEWS SERVICE
A majority of security executives surveyed said their companies don't
have plans to cope with an unconventional terrorist attack, even
though most believe that a terrorist attack of some kind is likely to
occur in the coming months, according to the results of a poll
released by CSO magazine today.
The survey of 476 chief security officers and senior security
executives found that 60% believe that a terrorist attack is likely in
Boston or New York, which are hosting the Democratic and Republican
political conventions this summer, respectively. While 63% of CSOs
said their companies have planned for conventional attacks such as
bombings or hostage taking, 61% said they haven't planned for
unconventional attacks using chemical, biological or nuclear weapons,
according to the magazine.
The online survey of CSO subscribers was conducted between April 27
and May 18, 2004, and has a 4.5% margin of error. CSO subscribers were
asked their opinions on a number of issues, including terrorism,
politics, IT security policy and purchasing decisions.
While planning for unconventional terrorist attacks is rare, the CSOs
reported much better preparation for threats such as cyberattacks,
natural disasters and violent employees. Ninety-four percent of those
surveyed said they have contingency plans in place for natural
disasters and 86% for cyberattacks. Eighty percent said their
companies are prepared for attacks from violent employees or former
employees.
Indeed, the survey showed that companies are quick to slam the door on
former employees. Seventy-four percent of those surveyed block network
access to e-mail and critical documents within one business day of
employees being fired or leaving a company, and 81% block physical
access within one business day.
The theft of intellectual property or other proprietary information is
also a top concern of CSOs, with 91% saying that managing access to
critical information and documents is either "extremely important" or
"very important."
The study also showed that those concerns are often well placed.
Fifteen percent of the respondents said their employer has lost or had
critical documents or corporate information copied without
authorization in the past year. Almost a quarter said they could not
be sure whether such losses had occurred at their company.
However, concerns about the theft of proprietary information aren't
influencing decisions about which security products to buy. Only 11%
of the CSOs surveyed said that the theft of intellectual property was
the primary factor in security spending, which averaged $16.6 million
annually among those surveyed. Instead, the desire to comply with
government regulations is a bigger motivator. Forty-nine percent cited
"issues related to regulatory compliance" as the prime reason behind
their security purchases.
Companies need to have policies and processes in place that protect
their most important assets and ensure the safety and welfare of their
employees, said Lew McCreary, CSO's editor in chief. Among other
consequences, organizations that are shown to have ignored the
interests of either shareholders or employees in the wake of a
disaster could be held legally liable for losses and damage.
Clearly articulated policies and procedures for emergencies and
frequent exercises that reinforce those procedures are a good place to
start, McCreary said. But companies also need to weigh the costs and
benefits of any plans to guard against attacks, including those
involving weapons of mass destruction.
"Companies can't go crazy worrying about the likelihood of a terrorist
event if the cost of remediating such an event is going to be
prohibitive," he said.
CSO magazine is published by CXO Media Inc., a subsidiary of
International Data Group, which also owns the IDG News Service and
Computerworld.com.
More information about the ISN
mailing list