Feeds

Q: What does risk mean to you?

The changing face of threat

  • alert
  • submit to reddit

SANS - Survey on application security programs

All businesses face risk of some sort. Traditionally, the risks facing organisations have tended to range from incidents such as a fire in a building or production line, or environmental factors, such as damage sustained by flooding or storms. In past years, such physical risks made up nearly 100 per cent of the major risks faced by business.

Today, some feel that the risk of environmental or natural disaster is still important, but they now account for around 70 per cent of the risk faced by business. The remaining 30 per cent comes from non-manmade sources and much of this is accounted for by the changing nature of business.

One area in which business is changing is that it is becoming increasingly global, with companies looking to outsource non-core aspects of their business in order to gain access to lower cost resources. This places many in unfamiliar business surroundings with new risks, including those of government corruption, security and employee safety.

Not only are businesses facing risks from new sources, but new legal and industry-specific regulations are raising the bar on dealing with risk. These include legal regulations such as Sarbanes-Oxley, which places the onus on senior executives to personally vouch for the quality of the business information that it publishes and which looks set to be replicated across Europe, and industry regulations such as the food safety laws that come into effect in Europe in January 2005, which require greater disclosure of the provenance of all materials used in the production of food items right throughout the supply chain. Coming soon, the Basel II capital adequacy accord will force greater disclosure of the risk profiles of banks and other financial institutions.

However, recent surveys show that perceptions of risk vary widely within organisations and what executives care most about in terms of the risks that they face varies widely according to their area of expertise. A survey undertaken by MORI, on behalf of the UK Confederation of British Industries, asked chairmen, CEOs and other senior executives of UK companies about the greatest risks that their businesses face. The results are interesting, but in marked contrast to those released in 2004 by FM Global, a leading insurance and risk management organisation. The respondents to this survey were drawn from the ranks of CFOs and treasurers, risk management professionals, and investment professionals.

In the CBI survey, 57 per cent of chairmen and CEOs indicate that they are particularly worried about IT and computer network security - but this is in direct contrast to the FM Global survey, where just 11 per cent of risk managers, eight per cent of CFOs and treasurers and three per cent of investment professionals in Europe see risks to IT and telecommunications systems as being severe hazards facing their companies. There are differences among the professionals interviewed by FM Global for its 2004 survey - 72 per cent of CFOs, treasurers and risk managers see property-related threats as the most important threats facing their organisations, compared to just 19 per cent of European investment professionals.

Another marked contrast is that very few of the respondents to the FM Global survey view newer threats, such as sabotage or terrorism, as serious risks to their organisations. In contrast, one third of CEOs and chairmen responding to the CBI survey view terrorist action as the type of security threat causing the most worry, and one fifth cite environmental terrorism. Among these respondents, more mentioned the actions of animal rights activists as being a threat than the danger of fire or flood, especially among larger companies.

The greatest difference can be seen in how investment professionals assess the risks facing business. Whereas CFOs, treasurers and risk management professionals are more focused on property-related risks, 81 per cent of investment professionals point to non-property-related risks as being the most important. Within this category, pricing fluctuations were seen as important risks by 46 per cent of European investment professionals and government and regulatory requirements by 17 per cent. For risk managers, these were seen as important by just nine per cent and one per cent respectively.

But the one area in which respondents to both surveys appear to agree is that companies need to spend more on security than they did previously and that security is of such importance that it needs to be put under the supervision of the board of directors. However, many admit that there is still some way to go and the surveys show that doubts remain about the workability of security plans in practice as well as the ability to keep pace with newly emerging threats.

Taken together, these two surveys show that companies are thinking more seriously about security than they did previously, but gaps remain. In addition, some company officers appear to have their heads in the sand with regard to new risks that they face in their operations, including their ability to comply with new regulations. Industry observers such as investment professionals and analysts appear to be more tuned in as to the risks that these regulations pose to businesses. It is time for businesses to wake up now to the threats such regulations pose to their operations - before the first legal cases are tried.

Copyright © 2004, IT-Analysis.com

Related stories

Counting the cost of security training
Business frets over wireless security
Symantec drives security deep into enterprise

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.