Most Companies Are Far Too Optimistic Regarding Security
Angela Gunn writes on BetaNews:
The Enterprise Strategy Group, which conducted the Database Security Controls study in conjunction with Application Security Inc., spoke in October to 179 IT decision-makers working in enterprise-class organizations (meaning those with 1,000 employees or more). The 27-item questionnaire inquired about security budgets, breaches, controls and audits.More here.
It's not pretty. Tom Bain, director of marketing and communication for Application Security, notes that 84% of the companies surveyed said that all or most of their confidential data is protected...and 56% percent said they'd suffered at least one breach in the previous 12 months. Another 5% said they weren't sure or didn't know.
The picture's even more gruesome when you ask about failure to comply with standards such as PCI-DSS and Sarbanes-Oxley. Some 38% of the companies queries said they'd failed at least one audit in the previous twelve months, with 11% more unsure or not talking. 18% of those queried had failed a PCI audit; 11% missed SOX compliance; 16% fell down on HIPAA, GLBA or FISMA, and 21% managed to biff general security/IT internal checks.
"These companies aren't even taking non-optional measures seriously," said Bain, "let alone protecting sensitive data."