Companies still ignore IT danger

Corporate information systems remain dangerously vulnerable to cyber attacks, with almost half not having a formal security policy in place, according to a survey by Computer Sciences Corporation (CSC).

The study also found that 59 per cent do not have a formal compliance program supporting their information systems (IS) function, and 68 per cent do not regularly conduct security risk analyses or security status tracking.

Chief information officers, vice-presidents and directors of technology departments in various markets such as financial services, healthcare and government responded to this year's Critical Issues survey.

Of the 1,000 respondents, 29 per cent were from Europe, 34 per cent were from North America, 13 per cent were from Australia and 24 per cent were from Asia.

The findings also found that IS managers generally held a lackadaisical view towards protecting and securing information systems prior to the attacks against the World Trade Centre.

While most IS professionals recognise the benefits of protecting and securing data, the business leadership in the company still sees security as a "nice to have" rather than a "need to have", said Ron Knode, CSC's global director, managed security services.

"It's not until something goes wrong that perceptions change," he said.

According to the survey, the most important issue for global technology executives was getting maximum value from their existing enterprise systems.

The second issue of critical concern, cited by 63 per cent of the respondents, was optimising organisational effectiveness, mainly by partnering with the company's senior management to create and sustain value.

When asked to rank issues most important to the company, global technology executives said eliminating system vulnerabilities to minimise risks and to safeguard information resources ranked fifth.

CSC recommends companies define and develop an information security plan as well as design a task force responsible for the information security policy program. The firm also said that companies should conduct regular audits and follow up on any findings.

"The goal is not the technology, but rather, synchronising business processes with information technology at the centre," Knode said.