Data laws raise security worries

Compliance creates difficulties securing corporate data

Regulatory compliance is now the biggest security concern for IT departments, according to international research published yesterday (Wednesday).

Nearly two-thirds of firms that responded to consultancy Ernst & Young’s survey cited complying with electronic data retention regulations such as Sarbanes-Oxley and the European Union 8th Directive on company law as their primary IT security focus.

But despite senior management fears of prosecution making security a board issue, IT departments are failing to make information security an integral part of the business, says The Global Information Security Survey 2005.

‘Images of directors being taken away in orange jumpsuits and silver manacles are making firms sit up and take notice,’ said Ernst & Young partner Antony Smyth.

‘It is a chance for departments to make use of the focus that security is getting in the boardroom, but most are not doing this.’

The survey of more than 1,300 public and private sector organisations in 55 countries found 81 per cent of firms view IT security as the most important element in complying with data policies.

Just 56 per cent of IT directors cited security as important for aiding other business strategies.

Some 88 per cent of firms are updating policies and procedures to comply with regulations, but only 41 per cent are using the opportunity to reorganise their IT security functions or to make changes to systems architecture.

The survey also suggests that organisations are not securing information and systems when they outsource their operations to third parties.

One fifth of firms do not address the risks of communicating electronically with suppliers, outsourcers and partners, and 33 per cent only have informal procedures to deal with these risks.

‘Businesses might put information security procedures in place in their own offices, but do they know whether call centre partners are allowing staff to bring iPods into their booths, or whether they are taking information out?’ said Smyth.

The survey also found firms are overlooking security issues when adopting emerging technologies, such as internet telephony and server virtualisation.