Global businesses have reached "compliance breaking point" as they struggle
to put the necessary IT security resources in place to comply with ever more
stringent legislation, new research has warned.
The conclusion is based on a report commissioned by security firm
McAfee and
conducted by Dr Jonathan Liebenau, senior lecturer in information systems at the
London
School of Economics
Department
of Management.
The research suggests that a company's reputation could be damaged by
disclosure laws now in force in the US that look set to become more widespread.
Many businesses are reliant on a very limited number of specialists who can
manage information risks and understand compliance.
Companies that lose these internal capabilities often struggle to find
replacements either on the labour market or through outsourcing.
The study suggests that the best example of the direct link between IT
security and the strategic business function is the requirement to give public
notice of a security breach.
This has been the law since 2004, but poses serious risks for business
reputation and business continuity.
Dr Liebenau found that by mid-2006, reports of security breaches in the US
were numbering between eight and 10 per week. To date, almost 94 million records
containing sensitive personal information have been involved in security
breaches.
"The mandatory reporting of security breaches will have far-reaching
implications on a company's reputation management," he said.
"The practice of reporting breaches, now commonplace in the US and quickly
spreading to several regions in the world, will impact the way individuals and
organisations think about information handling in general and reputation
protection in particular."
Surprisingly, Dr Liebenau's research found that compliance requirements may
be increasing security risks because guidelines, standards and compliance
concerns overshadow business security needs.
The report also pointed out that the costs involved in monitoring and meeting
compliance requirements can take resources away from dealing with live security
threats.
Researchers found that chief information officers, security officers and IT
directors believe that compliance is playing an ever-increasing role in IT
security, but many businesses are struggling to cope with its requirements.
According to one banking security expert in the UK: "We understand
Sarbanes-Oxley and what it's good for, but in practice you do what you can."
Do you agree?
Have your say on this article