During a tour of Computer Associates' (CA) Melbourne-based research labs, head of R&D, Eugene Dozortsev told media representatives that during 2002 the number of viruses in the wild will increase by 22 percent. Forty 40 percent of companies surveyed from the banking and finance sector, he said, have already been bombarded by 20 or more security attacks this year.
However, all respondents from this sector claimed to have in place a security policy that was reflective of their business needs. -Eighty percent of these policies covered laptops and other mobile computing devices - which was well above the average 58 percent of all industries," Dozortsev said.
-We process between 5,000 and 10,0000 potential virus samples a week," Dozortsev said, adding that there are currently 100,000 viruses or variants being sent around the world, with approximately 200 news ones being added to that list each month. Fifteen to 20 percent of the 200 newbies are in the wild, he said, and 83 percent of all current viruses are transmitted through e-mail.
Whilst the banking and finance sector might have the biggest wad of cash to spend on IT security, with almost 40 percent of companies allocating between 15 percent and 25 percent of their current IT budgets on IT security-related issues, Dozortsev said it was paramount that organisations take a holistic approach to security.
-Defence from external attacks and internal abuse is just one of the areas people should be thinking about," Dozortsev said, adding that securely extending virtual boundaries is much more important. -This is the real business risk."
The management of administration, authorisation, auditing and provisioning, is also a security area businesses must keep in mind, and one where businesses can reap cost savings, Dozortsev said. A 1000-person organisation, he explained, normally has 10-15 people on the helpdesk, 75 percent of whom are working on password management issues. With AU$1.5 million spent running that helpdesk a year - fundamentally on password management - the implementation of software to do that would reduce helpdesk headcount by three-quarters and save a AU$1 million, he said.
-We have seen some vertical industries implementing comprehensive security management procedures - financial services, government and healthcare, but that still leaves a lot of businesses that are insufficiently protected," Dozortsev said.
-The likelihood that your company will be hit with a security attack is growing. Preparing ahead of time is the only way we minimise the damage that attack may cause to your IT systems and to your company's future."
-All security is s combination of product, policy process and eduction. It is also a journey and not a destination, so it is never complete," he said.
According to Dozortsev, the first question that has to be asked of an organistation looking to implement security processes is: what are your assets? -A 500-person company with AU$30 million of data to protect is one thing, AU$1 million of data is another," he said. Once assets have been identified you move onto risk assessment and then make a conscious decision, he added.
According to CA's research, of the companies which experienced more than 10 virus attacks, only half had boards aware of the IT security policy and implications and more than a quarter of the respondents still do not have an IT Security Policy in place that reflects their business needs.
The research also found that only 16 percent of those attacked said they sustained financial losses because of the attacks, 81 percent of respondents had sustained security attacks other than a virus during the year, and intrusion detection and hacking are the biggest security concerns for organisations.
