PwC report reveals security woe

Report finds security breaches in nearly 50 percent of fast-growing US companies. But can surveys really get at the truth of such a complex topic?

25 November 2003

Nearly half of US-based 'trendsetter' companies have suffered a security breach in the past two years but CEOs remain blasé about the risks and have not increased resources sufficiently to protect their systems. That is according to a new survey by PricewaterhouseCoopers.

The company interviewed 402 CEOs of privately-held US companies that it identifies as “trendsetter” companies - namely, that they are the fastest growing businesses over the past five years (their revenue varies between $5 million and $150 million).

It found that 46 per cent of them had suffered a “recent breach of their information security”. In these cases, four-fifths were due to a virus or worm. A hefty 83 per cent say they suffered some form of financial loss from the breach. A quarter of them saw their systems down for some period of time.

The CEOs were split equally in three groups over whether security was ‘not particularly important', ‘slightly important' or ‘very important'. Nevertheless, only 15 per cent will be increasing their security budget this year and two per cent will be reducing it.

This apparently disturbing report is made worse by the fact that companies traditionally underplay the level of security problems they have. It could easily be the case that well over half of all companies have experienced this form of security breach.

However, we suspect that this high headline figure has more to do with getting the report noticed than the real situation on the ground. Little precise information is given about the exact nature of the breaches or how much trouble was caused. Taking the widest definition, the survey could equally be headlined “over half of all companies defeat virus problem”.

According to the report, 61 per cent of the breaches were caused by “hackers” and email came second with 27 per cent. Now this may well be true, but we suspect the spectacular rate may stem from technical staff telling little white lies to the boss to save being hauled over the coals for failing to adequately patch their systems.

There is also the fact that only company CEOs were interviewed. How much do CEOs really know about the effect of attacks on their IT systems? Probably only what they've been told by the CTO or technical staff, and there will always be reasons for not giving the entire truth.

What CEOs do know is how to judge people and their motivations. And if you ever find a department head that doesn't come up with a dozen good reasons as to why their budget should be increased next year, then you are asleep and dreaming.

A CEO for example would be immediately suspicious of the report author's proclamation: “Unless more attention is given to information security budgets and priorities, many of these fast growth companies could be placing themselves at risk,” said Mark Lobel, senior manager for security and privacy services at PwC.

“This situation may be like replacing your windshield wipers - you're wise to change them on a sunny day, to be prepared for a rainy one.”

Contact | Journalism | CV | Pub Tour | General | Projects | Internet