Security Web Digest: Security A Major Priority, Analysts Doubt Spam Proposals ... and More

Data center managers are concerned... Shift in attacks on financial services organizations... New California privacy requirements go into effect July 1... and more from around the web


According to a study released this week by AFCOMs Data Center Institute,information security is a major priority for the nations largest data centers in the face of constant terror alerts, tensions in Iraq and proliferating cyberthreats. The study, conducted earlier this year among 257 data center managers, showed that nearly 50% of the companies surveyed said they had increased security budgets by 5 percent to 15 percent in the past year. While a majority of organizations are still spending less than 10 percent of their IT budgets on security, about 17 percent allocated between 9 percent and 20 percent of their budgets for it. The budget increases come at a time when a growing number of companies face external and internal cyberattacks, said Jill Eckhaus, president of AFCOM. "The most surprising thing in my mind was that almost 30 percent of the companies surveyed did have a breach of security last year," she said.

Another study found thatmost security attacks on financial services organizations come from outside the company. Deloitte & Touches 2003 Global Security Survey examined the security at 80 Fortune 500 financial companies, and found that 90 percent of security attacks are coming from external sources. "For as many years as I can remember, internal attacks have always been higher than external," said Simon Owen, Deloitte & Touche partner responsible for technology risk in financial services. "Sixty to 70 percent used to be internally sourced. But most attacks are now coming from external forces and thats a marked change."

Homeland Security

More than 20 months after the Sept. 11 terrorist attacks, theUnited States remains ill-prepared to defend against a strike on the nations critical computer systems because of slow-moving federal research efforts, members of Congress said Wednesday. The nation quite simply has been under-investing woefully in cyber security R&D, and as a result we lack both the experts and the expertise we ought to have in a world that relies so heavily on computers and networks for the necessities of everyday life," said Rep. Sherwood Boehlert, R-N.Y., chair of the House Science Committee, which brought the heads of the four agencies to Capitol Hill to testify about their efforts. Wednesdays testimony follows the departure of two key White House cyber-security advisers earlier this year.


Thecontinued rise in Spam has prompted several lawmakers--including Sens. Charles Schumer (D-N.Y.), Ron Wyden (D-Ore.), Conrad Burns (R-Mont.), and Rep. Zoe Lofgren (D-Calif.)--into introducing or promising anti-spam legislation. But Gartner analysts Maurene Caplan Gray and Adam Sarner said that the efforts will "end up regulating only the legitimate E-mail marketing industry. These bills will not stop spam." Even anti-spam activist John Mozena, the co-founder and VP of the Coalition Against Unsolicited Commercial E-mail (CAUCE), a group dedicated to fighting spam, is unconvinced that the Burns-Wyden bill (commonly called the CAN-SPAM bill) will do much. "None of the bills that have been introduced are really the best way to take a whack at spam," he said. "Any law that gives the marketer one bite of the apple--even just one chance to spam a user before they request to be removed from the list--isnt going to work. There are too many marketers, and too many recipients."

Companies doing business in California have a compelling reason to bolster their data security. A new state law that goes into effect July 1 willrequire companies that maintain data on California residents to inform individuals of any security breaches that result in their personal information being stolen. Apart from those in the financial services and health care sectors, few companies appear to be aware of the pending rules, according to some legal experts. That could be dangerous, since failure to comply with the statutes requirements could expose companies to potentially costly lawsuits, legal experts warned. California SB 1386 was signed into law last year and is being used as a model for a similarfederal identity-theft-related bill.