Top Execs Say Their Enterprises Arent Ready for Security Attacks

CEOs and other corporate executives perceive their companies as unprepared to contend with, and are vulnerable to, security breaches, according to a study by KPMG LLC.

In the report released today, 41 percent of those executives interviewed feel their firms are not equipped to handle a serious security attack. The conclusion of this survey of 500 executives from multinational firms in the United States and Europe follows other recent surveys that have found corporations susceptible to major security breaches.

One major hurdle, according to the study, is that few executives understand what securing the enterprise entails. In fact, 59 percent of respondents said they viewed information security as a technology problem that can be handled by a technology solution. Only 39 percent said that they view information security as a strategic business issue that requires an integrated organization solution.

“One large problem certainly is that a large number of respondents felt that security was legitimately an issue for their IT function as opposed to an issue that belongs first and foremost with the CEO or the COO of the company, and that certainly affects the way information security is approached,” said Stewart Campbell, national partner-in-charge of KPMGs Risk and Advisory Services Practice in San Francisco. “They dont seem to have measured the impact of a security breach and are not aware of how much it costs to be down and out of business.”

Certainly, executives misunderstand the source of threats. Thirty-three percent considered hackers their greatest threat, while 35 percent said employees posed the greatest threats. KPMGs own studies however, indicate that 80 percent of security incidents involve employees.

Surveyed executives also left doubt as to how far companies have progressed in terms of securing e-business transactions. While 57 percent of organizations have a comprehensive e-business plan, only 52 percent of executives conducting e-business said their plans adequately address Internet security concerns.

As to the soundness of information security policies in place, executives felt they werent comprehensive enough. Formal information security policies are in place at 88 percent of the organizations surveyed, but only half of those policies were perceived as completely adequate.

Executives are willing to spend money on security, though. Despite tightened budgets throughout IT departments this year, 65 percent of those surveyed said spending on security at their organization would not be cut. Moreover, 28 percent said they expect spending on security to increase.

And, while the survey was conducted in August, Campbell said the terrorist attacks of Sept. 11 have heightened security concerns.

“People are spending discretionary dollars on physical security issues, but I havent seen a slowdown in putting security around Web-enabled networks and applications,” he said. “As organizations finish physical security upgrades, expect to see an increase in information security spending overall.”