Companies are concerned about their network security and have some measures in place, but still feel their security has to be improved, according to studies in Canada and the US.
More than 95 per cent of the 70 respondents to International Network Service (INS)'s Web-based survey, conducted from July to August, said they consider improving their network security capabilities to be important. For example, network intrusion detection and alarming was considered important by 71 per cent of those surveyed, but is currently being implemented by only 36 per cent of respondents, with 43 per cent saying it is planned for sometime in the future.
"The general consensus is people are spending a lot of time and effort in increasing their security," said Victor Danevich, a managing consultant with INS. "It's not just a point solution any more, it's a process. They need to institute more efforts in all-around areas, instead of just sticking in a firewall and saying that their security problems are resolved."
Yogen Appalraju, a principal with KPMG, was involved with a recent Canadian study that found similar results. He said KPMG's results were worse than he expected in terms of the sophistication of security.
"A lot of people talk about firewalls, but it's more than just a firewall. Once you really understand some of the threats from the Internet, you'll recognise that it's very hard for you to have a hardened operating system," Appalraju said. He defined a hardened operating system as one that has been modified away from the standard to minimise security vulnerabilities.
Appalraju also said many companies ignore security in terms of their electronic commerce.
"You may have things such as CGI scripts which create vulnerabilities which can be exploited on the Internet," Appalraju said. "You've got to be very careful about what Internet services you allow into your internal network from the Internet."
The INS survey found that respondents, 77 per cent of whom were from the United States, were more concerned about external threats vs. internal threats by a margin of two to one.
Appalraju said he has found the same attitude in Canada.
"I think people, especially in Canada, have a sense of trust, particularly about the people they work with."
He added that this is a dangerous perception, since other studies he has seen have found that about 70 per cent of attacks come from internal users.
Appalraju said attitudes toward security depend largely on the size and purpose of the specific company. In most cases, he said Canadian and US companies are probably at the same level.
"If we're talking about major banks, I'd say clearly Canada's on top. We're more diligent in Canada about security than they are in the US. If we talk about government, I think the Canadian government and the US government are about on par in terms of diligence.
"If you look at large organisations, I'd say they're fairly similar in the US and Canada. The one that really concerns me is the mid-sized and smaller companies that connect to the Internet. They don't have the resources and they're fairly lax and naïve about the security threats," Appalraju said.
As for the INS survey, it found that a big hurdle in getting network security up to perceived satisfactory levels is a lack of sufficiently trained personnel. Fifty-one per cent cited inadequate manpower or staff turnover as the greatest barrier to improving network security; 49 per cent cited insufficient upper management support, with 48 per cent specifying a problem with justifying costs and benefits to upper management; and 41 per cent had problems with the amount of staff training required.
"In general, there aren't enough people who are trained on the networks to adequately staff the network organisations," said Rick Blum, research programs manager with INS. "When you get into something that requires more expertise, such as security, that shortage is even heightened."