The worlds top executives now cite security as the most critical aspect of their companies networks, but nearly four in five still click on e-mail attachments from strangers, according to a new survey from the Economist Intelligence Unit.
The AT&T-backed survey was carried out by the business information arm of the Economist Group, publisher of the Economist magazine, and canvassed 254 senior executives from Europe, North America, Asia-Pacific and elsewhere. It found that 78 percent of respondents considered security the top corporate networking issue, displacing reliability and availability, which led the list last year.
However, the same percentage of respondents admitted to opening attachments from unknown senders in the past year, a figure the EIU found "astonishing." E-mail attachments are one of the most common methods Internet worms use to propagate.
In addition, 29 percent said they had chosen their own name or birthday as a "secure" password to a corporate network, and 17 percent said they had accessed the company network in a public place and hadnt logged out. Nine percent even said they had informally shared a company network password with someone outside the firm.
Respondents werent unaware of the dangers of such mistakes, saying they expected 83 percent of threats to originate internally, from accidents, sabotage or espionage. This awareness didnt seem to change their behavior, however—a finding that did not surprise some security experts. "Since people have a tendency to say this will not happen to them, companies have to keep working on awareness that attacks do happen," said Rick Cudworth, partner and international service leader for security and continuity at KPMG UK, in the study.
Thierry van Herwijnen, Cisco Systems European marketing manager for security, said he sees the problem as essentially a marketing issue. "We try to educate the managers and employees in companies we serve, but change is very difficult," he told the EIU.
Executives said their networking priorities are focused on opening up the network to remote workers, partners and customers, and they recognized that these goals bring inherent security risks. More than 80 percent said their priorities left their firms vulnerable or extremely vulnerable to threats.
Security spending is rising much faster than overall IT spending, respondents said, appearing to confirm the estimates of Gartner analysts, who estimate that total worldwide security spending will grow by 17.6 percent through 2006. On average, the surveyed companies spent 9 percent of their IT budget on network security in 2002, rising to 11 percent in 2003, and expected to reach 13 percent this year. This spending may be justified by the rising toll of network attacks, which has risen from $3.3 billion worldwide in 1997 to an estimated $12 billion last year, according to figures from Carlsbad, California-based Computer Economics cited in the study.
For smaller firms, a switch to managed security is an increasingly popular option. Thirty-two percent of all respondents said they already used or planned to use managed security services in the next two years, with another 14 percent saying they would use them in the long term. However, most of these companies—70 percent—are small and midsize firms.
The survey found that CEOs are increasingly taking responsibility for network security policy, while some companies are beginning to appoint a chief security officer. "For any company, it is virtually impossible to ensure protection of assets without one person owning the focal point," said Ed Amoroso, information security officer at AT&T.
The online survey canvassed 254 senior executives, with 40 percent of respondents from Europe, 27 percent from North America and 21 percent from Asia-Pacific, mostly representing the financial services, professional services, manufacturing, transportation and energy sectors. It was supplemented by in-depth interviews with executives and analysts. The research took place between March and April of this year.
The study is available from AT&Ts Web site.