Business Technology Professionals - Empowered by Steps to Ward Off Threats - Appear Naive in Face of Increased Number and Complexity of Attacks, Global Survey Finds

Ninety-one Percent of U.S. Companies Perceive the Same or Less Vulnerability Than Last Year Despite Increase in Company Security Priorities and Planned Spending

Jul 10, 2006

Data security breaches continue to vex the majority of business technology professionals from around the globe, even though most do not acknowledge their own vulnerability to malicious attacks, according to results of the 2006 Global Information Security Survey published today by InformationWeek and Accenture (NYSE: ACN), prompting increases in security spending in the coming year.

The survey of more than 2,000 business technology and security professionals from eight countries uncovered ongoing concern about hackers, malicious coders, customer data breaches and identity theft. That concern is underscored by the long list of priorities they've identified including raising user awareness (41 percent), enforcing security policies (36 percent), controlling system access (26 percent) and getting more resources (23 percent). However, when asked whether their companies are more vulnerable to attacks and breaches than a year ago, only 11 percent of respondents with U.S. companies, 13 percent of respondents in Europe, 16 percent in China and 25 percent in India thought so. The vast majority think their companies are no more vulnerable than before or about the same, an even higher level of confidence than found in last year's survey.

In its ninth year, the online survey found an upswing in resources directed toward information security across the board. "As businesses continue to grapple with issues like risk assessment and customer data protection, it is helpful to see they're getting the support they need from senior corporate management," said Rob Preston, InformationWeek editor in chief. "However, it's critical that the higher confidence and spending levels don't let security pros lapse into complacency."

  Overall, global highlights and trends include:

  * IT professionals in countries other than the U.S. were slightly more
    cautious in their own vulnerability assessments. Thirteen percent of
    respondents in Europe, 16 percent in China and 24 percent in India say
    their organizations are more vulnerable to security dangers than a year

  * Spending is expected to grow significantly this year.  Fifty-seven
    percent of respondents in India said they expect to spend more on
    security technology than last year, as did nearly 50 percent of U.S.
    respondents, 42 percent of respondents in China and 25 percent of
    respondents in Europe.

  * An increasing number of attacks were reported this past year.
    Fifty-seven percent of U.S. companies report being hit by viruses over
    the last year, 34 percent by worms, 18 percent by denial of service
    attacks, 9 percent by network attacks and 8 percent by identity theft.

  * Variations exist among countries when it comes to the challenges they
    face and how they are addressed.  Managing complexity appears to be most
    daunting for U.S. companies, while user access control is more of an
    issue in Europe and China.  Those in India put security complexity and
    security policy enforcement front and center.

  * Security outsourcing is more prevalent worldwide. Companies in China,
    the United States and Europe expect to increase their security
    outsourcing spending in the coming year by 24 percent, 23 percent and 16
    percent, respectively.

  * Compliance regulations drive security policies and practices.
    Improvements to infrastructure and application security and document
    management practices were brought about by Sarbanes-Oxley, the EU
    Protection Directive and the Bank Secrecy Act.

"We are not surprised by the expectations that security spending will increase significantly this year," said Alastair MacWillson, global managing partner, Accenture security practice. "Many companies are putting a lot of effort and money into meeting regulatory compliance in the belief that such measures will also improve security. While this may be the case in some circumstances, I do not believe it is a cost effective way of addressing security weaknesses in areas that really matter to the company."

"Those companies that do security well, integrate security into everything they do, recognizing that security enables them to do new things, and are able to justify the business value and show a return on their investment in security," MacWillson continued. "Consider, for example, online banking, which is not possible without bulletproof security."

  Threat Response and Risk Management

  * Companies spend more than 10 percent of their IT budgets on information
    security, on average, although the amount spent varies by geography.
    For instance, 30 percent of U.S. respondents said their companies plan
    on spending more than $100,000 on information security, compared with 15
    percent of respondents in India, 10 percent of respondents in Europe and
    only 5 percent of respondents in China.

  * Tactical security priorities for the year include monitoring security
    compliance, installing and monitoring intrusion detection tools and
    enhancing data.  Telecom security is also a priority for a small
    percentage of companies, most likely due to Voice over Internet Protocol
    (VoIP) implications.

  Facts About Security Breaches

  * The most-reported method of attack is falsified information in e-mail
    attachments.  The highest growth category for this type of attack is the
    abuse of valid user account/permissions.

  * Hackers and malicious coders are still the most likely culprits,
    followed by an assortment of current and former employees and other
    authorized users.

  * Spam prevention is a worldwide priority due to its impact on
    productivity.  Compromised customer records and identity theft are also
    on the rise.

  * Across the board, the biggest result of security breaches is network or
    application downtime.  In China, half of the companies noted compromised
    confidentiality and system destruction.  Most companies don't quantify
    the significant financial costs of the resulting destruction.

  Security Responsibility and Safeguards

  * Many parts of an organization are responsible for security, with input
    from internal and external influencers. In the U.S. and China it is
    primarily the CIO and a crew of IT directors who set security policy; in
    Europe, the CEO/president is also involved and roughly one-third of all
    companies have a Chief Information Security Officer (CISO) that reports
    to the CIO or CEO.

  * The president and CEO holds the purse-strings for spending on security
    technology in nearly half of U.S. and European companies and more than
    one-third of Chinese and Indian firms.

  * Safeguards are now commonly in place for internal protection of customer
    data through employee education on privacy standards, secure Web
    transactions and encryption of transmitted communications.  The majority
    of companies now monitor employees in many areas, including e-mail and
    Web site usage, use of instant messaging and the content of outbound e-
    mail messages.

  Security Vendors and Outsourcing

Business technology executives consider many factors when selecting security products. In the U.S. and India, considerations include the technical product strength, total ownership costs, vendor service/support, pricing and integration. In Europe, product strength and pricing and in China service/support and integration are the most important factors.

A majority of firms are willing to accept "locking in" to a single vendor in exchange for better protection and reduced complexity. U.S. companies cite reducing complexity as the key reason for selecting a single vendor, while respondents in Europe, China and India cited the superior protection offered by integrated solutions as the main reason for doing so.


The Global Information Security Survey, an editorial research product of InformationWeek magazine and Accenture conducted online during May and June 2006, examined responses from 2,193 business technology and security professionals from eight countries.

The U.S. sample is from the subscriber base of InformationWeek Magazine and its affiliates. Data for Europe, the U.K., France, Germany, Italy and Spain was provided by Harris Poll's online panel. Information Week China, Cyber India Online Ltd (CIOL) and Ciao also contributed data for the study.

About InformationWeek

InformationWeek sets the agenda for business technology executives, covering the full range of information access points IT decision-makers use today. A trusted, authoritative source and information filter, InformationWeek helps community members understand and focus on what's important up-to-the-minute -- in print, online, through independent research and at live, peer-to-peer events. Through its cross-media platform, InformationWeek delivers content to complement the print publication to its community of business technology leaders when and how they want it, 24/7. The InformationWeek community includes an audience of 2.5 million CIOs, IT executives and business managers who cut across industries, job titles, company sizes and global borders.

InformationWeek is consistently recognized for its commitment to excellence and thought leadership by the IT community, receiving many of the industry's top media accolades, including several awards from the American Society of Business Publication Editors (ASBPE), top spots in BtoB Magazine's Media Power 50 and Circulation Excellence Awards from Circulation Management Magazine.

About CMP Technology

CMP Technology is a marketing solutions company serving the technology, healthcare and lifestyles industries. Through its market-leading portfolio of trusted information brands, CMP Technology has earned the confidence of more professionals and enthusiasts in these fields than any other media company. As a result, CMP is the premier provider of access, insight and actionable programs designed to connect sellers and buyers in each of these industries in ways that yield superior return on investment. CMP Technology is a subsidiary of United Business Media (, a global provider of news distribution and specialist information services with a market capitalization of more than $3 billion.

About Accenture

Accenture is a global management consulting, technology services and outsourcing company. Committed to delivering innovation, Accenture collaborates with its clients to help them become high-performance businesses and governments. With deep industry and business process expertise, broad global resources and a proven track record, Accenture can mobilize the right people, skills and technologies to help clients improve their performance. With more than 133,000 people in 48 countries, the company generated net revenues of US$15.55 billion for the fiscal year ended Aug. 31, 2005. Its home page is

  Press Contacts:
  Jennifer Cincu
  Articulate Communications Inc.
  212.255.0080, ext. 33

  Ed Trapasso

SOURCE: CMP Technology

CONTACT: Press, Jennifer Cincu of Articulate Communications Inc.,
+1-212-255-0080, ext. 33,; or Ed Trapasso of
Accenture, +1-917-452-3555,

Company News On-Call: