Global firms reach compliance breaking point

Global businesses have reached "compliance breaking point" as they struggle to put the necessary IT security resources in place to comply with ever more stringent legislation, new research has warned.

The conclusion is based on a report commissioned by security firm McAfee and conducted by Dr Jonathan Liebenau, senior lecturer in information systems at the London School of Economics Department of Management.

The research suggests that a company's reputation could be damaged by disclosure laws now in force in the US that look set to become more widespread.

Many businesses are reliant on a very limited number of specialists who can manage information risks and understand compliance.

Companies that lose these internal capabilities often struggle to find replacements either on the labour market or through outsourcing.

The study suggests that the best example of the direct link between IT security and the strategic business function is the requirement to give public notice of a security breach.

This has been the law since 2004, but poses serious risks for business reputation and business continuity.

Dr Liebenau found that by mid-2006, reports of security breaches in the US were numbering between eight and 10 per week. To date, almost 94 million records containing sensitive personal information have been involved in security breaches.

"The mandatory reporting of security breaches will have far-reaching implications on a company's reputation management," he said.

"The practice of reporting breaches, now commonplace in the US and quickly spreading to several regions in the world, will impact the way individuals and organisations think about information handling in general and reputation protection in particular."

Surprisingly, Dr Liebenau's research found that compliance requirements may be increasing security risks because guidelines, standards and compliance concerns overshadow business security needs.

The report also pointed out that the costs involved in monitoring and meeting compliance requirements can take resources away from dealing with live security threats.

Researchers found that chief information officers, security officers and IT directors believe that compliance is playing an ever-increasing role in IT security, but many businesses are struggling to cope with its requirements.

According to one banking security expert in the UK: "We understand Sarbanes-Oxley and what it's good for, but in practice you do what you can."