Reseller News

Low security awareness found across IT

Survey reveals disturbing lack of communication about key security issues within enterprises, one exec says

A broad spectrum of IT people, including those close to security functions, appear to have little awareness of key security issues impacting their organizations, a new survey shows.

The survey, which polled 430 members of the Oracle Application Users Group (OAUG) conducted by Unisphere Research and sponsored by Application Security Inc. included directors and managers of information technology, developers and programmers, database and systems administrators, systems architects and analysts and professionals from the HR and financial functions.

About 22% of respondents claimed to be extensively involved in security functions, 60% claimed a limited or supporting role, and the rest said they were not involved with security at all. About 100 respondents belonged to companies with more than 10,000 employees.

What the survey showed was a surprising lack of awareness of security issues among the respondents. For instance, just 4% admitted to being fully informed about security breaches within their organizations. About 80% of those who said their organizations had suffered a data breach in the past year were unable to tell which IT components might have been impacted by the breach.

There appeared to be even less knowledge or acknowledgement of the costs associated with a data breach. Nine out of 10 of those who said their organizations had been breached said they had no idea of the resulting costs to their companies.

More than 53% said they had no idea about the budgets allocated for security spending, or were not privy to the data. One out of three respondents expressed a lack of understanding of security threats, while more than half expressed the belief that security efforts were being constrained by a lacking budget.

Mary Clark, president of the OAUG, expressed surprise at the broad takeaway from the survey results. "While OAUG members may not be the primary points of contact for IT security in their organizations, it is a bit surprising that many of the respondents to the survey indicate they are unaware or unsure of the security efforts taking place in their organizations," she said.

"The opportunity to provide its members information and education in this area is something the OAUG will explore," Clark added.

Thom VanHorn, vice president of global marketing at Application Security, said the survey reveals a disturbing lack of communication about key security issues among different groups within enterprises.

Although a substantial portion of survey respondents claimed to be close to IT security functions, "there is a huge number that don't know or are unsure about [fundamental security issues]," he said.

"It really says there isn't enough focus on security or communication across groups despite the environment we live in," VanHorn said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is .

Read more about security in Computerworld's Security Topic Center.