Amsterdam, 15 december – McAfee, Inc. (NYSE: MFE) today revealed findings from new research which shows that businesses have reached a compliance breaking point and that organizations are finding themselves more vulnerable to reputation risk due to new compliance-related legislation being rolled out around the world.
The report, commissioned by McAfee and conducted by Dr Jonathan Liebenau, Senior Lecturer in Information Systems, Department of Management at the London School of Economics (LSE), suggests that businesses are struggling to put the necessary IT security resources in place to comply with government regulations. Titled ‘International Perspectives on Information Security Practices’, the research – believed to be the first of its kind- warns that a firm’s reputation could be damaged by disclosure laws now in force in the US and that look set to become more widespread globally.
Limited Expertise
The report also reveals that many businesses are reliant on a very limited number of specialists who can manage information risks and understand compliance. Companies that lose these internal capabilities often struggle to find replacements either on the labor market or through outsourcing.
Forcible Disclosure and Reputation
Perhaps the best example of the direct link between IT security and the strategic business function is the requirement to give public notice of a security breach. This has been law in the US since 2004, but poses serious risks for business reputation, and business continuity. A recent survey by the Ponemon Institute in the US revealed that one third (34%) of customers would change their bank after one security breach.
Dr Liebenau found that by mid 2006, reports of security breaches in the US were numbering between eight and 10 per week. To date almost 94 million records containing sensitive personal information have been involved in security breaches.
“The mandatory reporting of security breaches will have far-reaching implications on a business’ reputation-management,” said Dr Jonathan Liebenau, Senior Lecturer in Information Systems, Department of Management at LSE. “The practice of reporting breaches, now commonplace in the United States and quickly spreading to several regions in the world, will impact the way individuals and organizations think about information handling in general and reputation protection in particular.”
Increasing Risk?
Surprisingly, compliance requirements may be increasing security risk as guidelines, standards and compliance worries overshadow business security needs, as the costs involved in monitoring and meeting compliance requirements can take resources away from dealing with live security threats.
Theory vs. Practice
Researchers found that CIOs, security officers and IT directors believe compliance is playing an ever increasing role in IT security, but many businesses are struggling to cope with its requirements. According to one banking security expert in the UK: “We understand SOX and what it’s good for, but in practice you do what you can.”
The key findings in this area are:
- Evaluation of security practices is often very subjective due to a lack of good benchmarks.
- There is no convergence of the security practices within businesses. Those responsible for policies are often different from those who manage and maintain the system security.
- Information security executives and managers resent the considerable effort spent on monitoring changes in policies and regulations and then re-designing systems in order to comply with these changes.
Evaluating Sarbanes-Oxley
The consensus amongst computer security professionals is that the SOX Act has been a boon to information security in the US, elevating the importance of IT security within corporate life. However, there is a widespread view among the senior IT personnel interviewed that the Act is both too vague in its specifications, and at the same time too prescriptive in its implications.
Dr Liebenau conducted interviews with IT directors, security officers, CIOs and CFOs in large global financial services organizations across Europe, Asia and North America to find out how they assess and prioritize information security risks.
About Dr Jonathan Liebenau
Jonathan Liebenau teaches at the London School of Economics in the Department of Information Systems. He specializes in two areas: fundamental concepts of information, and the problems and prospects of information and communication technology in economic development. He has previously worked in academic administration, technology policy, and the economic history of science-based industry, all positions in which he has emphasized the use of information in organizations. He is the author or editor of several books and over 70 other major publications and has provided consultancy services to leading companies and strategic government agencies, including BT, IBM, Nortel, EDS, Lloyd Thompson, the UK Department of Trade and Industry and the Home Office.
About the London School of Economics (LSE)
The London School of Economics and Political Science is unique in the United Kingdom in its concentration on research and teaching across the full range of the social, political and economic sciences. In the most recent available UK Government Research Assessment Exercise, the School's research was ranked overall second among more than 200 universities and colleges, surpassing that of Oxford and only second to Cambridge. The LSE is Europe’s leading social sciences university and has been home to 13 Nobel Prize winners and 28 past and present heads of state. The LSE faculty, like its postgraduate and doctoral students, is unusually international in composition, giving the School a unique insight into research and studies in an international and comparative context. More than 700 academic and research staff work in 19 Departments, 27 Research Centers and five Interdisciplinary Institutes, making LSE’s strength in depth second to none in its respective fields.
LSE staff has extensive academic links with premier universities and research institutions around the world. Internationally, LSE staff is involved in research projects on all six continents, addressing real world problems in a context of rapid global change.
About McAfee, Inc.
McAfee Inc., the leading dedicated security technology company, headquartered in Santa Clara, California, delivers proactive and proven solutions and services that secure systems and networks around the world. With its unmatched security expertise and commitment to innovation, McAfee empowers home users, businesses, the public sector, and service providers with the ability to block attacks, prevent disruptions, and continuously track and improve their security.
http://www.mcafee.com.
NOTE: McAfee is a registered trademark of McAfee, Inc. and/or its affiliates in the United States and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. © 2006, McAfee, Inc. All Rights Reserved.