Half Of Companies Surveyed Suffered Security Breach

The poll of CEOs from over 400 firms -- companies with revenues ranging from $5 million to $150 million which Pricewaterhouse dubs 'trendsetters' and tracks on an ongoing basis -- uncovered a disturbing trend: smaller organizations haven't responded to such breaches, and the ensuing losses, by beefing up their security budgets.

"Earlier this year, we saw the security budgets in large organization increasing," said Mark Lobel, the senior manager for security and privacy services at PricewaterhouseCoopers, and the author of the survey results. "But we're seeing these fast-growing companies not spending as consistently as their more mature brethren.

"They do that at their peril," he added.

According to the survey, 46 percent of the fast-growing companies polled said they had been the victim of a recent security breach. The vast majority -- 90 percent -- of those breaches were caused by computer viruses or worms, with some companies under attack from multiple vectors, including unauthorized network access (17 percent), denial-of-service (DoS) attacks (13 percent), and wireless intrusion (2 percent).

Hackers were cited as the source of 61 percent of the attacks, followed by e-mail at 27 percent. Attacks by unauthorized users and employees, former employees, and competitors, however, accounted for more than 1 out of every 10 attacks.

Of those companies which admitted to a security breach, 83 percent reported at least some monetary loss -- ranging from network downtime and lost or damaged customer records to direct financial losses and identity theft. Downtime averaged 1.33 days per employee over the past 12 months.

"The price of being unprepared or under-prepared amounted to a loss of hard dollars for eight in ten companies surveyed, and the lost time equivalent of more than an extra vacation or sick day for each and every employee in a penetrated company," said Lobel.

But the wave of problems hasn't meant hard-charging companies are spending more on security. On average, the polled CEOs said that their organizations were spending 1.9 percent of their operating budget on information security this year, only a slight increase from the 1.8 percent that they spent in 2002.

"Unless more attention is given to information security budgets and priorities, many of these fast growth companies could be placing themselves at risk," said Lobel.

Typically, start-ups and fast-growing companies like those surveyed are so intent on the bottom line, said Lobel, that they don't focus on protecting their bottom line. Firms that do pay attention to security, he said, could reap competitive advantages.

But simply putting technology into place isn't the answer. "Security isn't just a technology problem," Lobel said. "Clearly, it's a component, but security is really a combination of technology, people, and processes."

One recommendation Lobel offered up to fast-growing companies is to assign personnel -- even if it's just one person, part-time -- to information security, who are responsible for monitoring policies and processes put into place to safeguard the network, customer data, and intellectual property.

The ongoing battle against hackers and other threats may not be glamorous, but it's absolutely necessary, Lobel concluded.

"Security is a daily grind," he said. "It's not supposed to be fun."

This story courtesy of TechWeb .