IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Government Regulations Mean Better Security, Survey Finds

Study finds companies believe networks are more secure because of regulation despite their delaying investment in new security projects

A new survey of computer security professionals reveals that while many of them believe that the time they need to comply with increased government regulations has cut into their ability to secure their computer networks, they also admit that those networks are safer as a result. Yet, almost one in five said they would be willing to leave their networks unprotected on an around-the-clock basis, preferring to accept the risks to their networks and to the information contained on them.

The 2005 IT Security Management Survey, conducted during November by RedSiren, a provider of IT security management solutions, received responses from more than 300 information technology and security professionals working at a wide range of companies, in the public, private and government sectors.

Two-thirds of those who took part in the survey acknowledged that the wide range of government regulations, such as Sarbanes-Oxley, HIPAA, and GLBA, has affected their company's handling of IT security issues. Among those affected, 62 percent said they now spend more time complying with those regulations, and less time on activities actually protecting their networks; more than 38 percent said those regulations have caused them to either divert or delay new IT security projects. But a large majority (66 percent) acknowledged that compliance with those regulations has, in fact, made their networks more secure.

More than 19 percent of the respondents admitted that they were willing to "assume the risk," rather than protect their networks around the clock once patch management and incident response products become more automated. RedSiren's analysis behind the responses showed that small- and mid-sized government agencies and medical practices were more likely to answer this way.

"This shows a clear disconnect among the very people who need to be thinking proactively about how to best protect their networks and the information that resides on them," said Nick Brigman, RedSiren's vice president of product strategy. "On one hand, they know that the government's rules are making them move in one direction. But on the other hand, a surprising number are willing to leave things to chance."

"They may feel they're small and would be overlooked by potential attackers," Brigman continued. "Our experience with clients worldwide shows precisely the opposite: that attackers are looking for any outlet to gain control, regardless of size. At best, these people may be deluding themselves into a false sense of security. At worst, they're taking a dangerous risk."

To bring more value and perspective to readers of the survey, RedSiren asked security market analysts at Current Analysis, and the security practice leader of Baker & McKenzie LLP to provide sanitized independent and in-depth review of the results.

"The survey results provide strong evidence for the fact that information security is no longer just a technical issue for the IT department - it has clearly become a legal issue for most businesses as well," said Thomas Smedinghoff, with Baker & McKenzie LLP, who focuses on emerging legal issues relating to e-business, electronic transactions, information security, and privacy, as well as information technology, and intellectual property.

Counse Broders, principal analyst for Internet/Managed services at Current Analysis (www.currentanalysis.com) said, "While 55 percent of firms responding in this survey cite that they offer employee security education is laudable and encouraging, the fact that 11 percent do not believe there is a need for a program highlights a shortcoming." Numerous analyst firms have pointed out the need for educating employees at all levels of an organization about the role they play in helping to secure computer networks; that education has taken on additional importance because of the requirements of Federal and state privacy regulations. RedSiren Institute?, the company's eLearning initiative, delivers online courses that meet these needs, and enables employees to learn and retain the content more effectively.

The RedSiren 2005 IT Security Management Survey also found that:
  • Attacks delivered by email, such as viruses, worms and phishing, were cited by almost half of the respondents as the number-one threat.
  • Spam, in the opinion of respondents, has faded in importance as a major threat to their computer networks. Overall, only 7.6 percent of those answering the RedSiren survey believed it would be the biggest single threat to their systems in 2005.
  • More than 90 percent of respondents said their IT security budgets will either stay the same or grow during 2005; of those respondents, more than 18 percent said their budgets will grow significantly, by more than 20 percent.
A complete copy of the 2005 IT Security Management Survey is available online.