Survey finds security practices appalling

Despite the recent attacks of viruses, individuals are reluctant to review their security practices, according to a recent survey conducted by Central Command. The results however, were completely aligned to the general feeling among industry analysts that security is not seen as a priority among users.

The survey, titled Are You Practising Safe Computing? was e-mailed to approximately 750,000 PC users worldwide, with a 12 per cent response rate. Over one-fifth of both personal computer and office users exposed their systems to viruses by opening unknown e-mails. At press time, a new virus, called Nimda, was being spread via e-mail attachment, HTTP or across shared hard disks in internal networks. It appeared in inboxes called “Readme.exe”

Keith Peer, the CEO for Central Command in Medina, Ohio, said the biggest surprise is while the public’s awareness has been increased concerning viruses, practises have remained the same.

“The biggest thing was (despite) the recent viruses, warnings and information being published people still aren’t changing their habits…People are practising in the same old fashion as five years ago,” he said. While 48 per cent of respondents said they had heard of viruses like Code Red, Hybris or Loveletter, only nine per cent changed their security practices when online. He said the their behaviour can be explained by a lack of education on viruses and the misconception that the data stored is not crucially important.

Peer added that individuals are not taking security seriously; 38 per cent of respondents said they reported losses of over US$500 million because of the damaged associated with worms, viruses or other infected applications.

Analysts spoken to were not taken aback by the results in the least.

“No, that’s completely in line with my experience. Fundamentally, people are unwilling to invest money in rock solid security investments”, said Larry Karnis senior consultant for Application Enhancements in Brampton, Ont. He said in IT, with budgets tightening – regardless of the fact that security is viewed as important – it does fundamentally impact the bottom line in spending.

Karnis said in IT, managers need not sign on for more education, as they are already aware that outages, if they occur, are costly. Instead, it becomes a game of Russian Roulette. “Sometimes it’s easier to say ‘You know what, I’ll hope my firewall can take care of it and cross my fingers.'” It is an exercise of the worst case scenario, with managers deciding that in some cases, it is cheaper to do nothing, rather than install security patches. The most culpable, are the medium-sized organizations that don’t have the finance in their budgets to support security infrastructure costs, he added.

Individual PC users are also relatively lax in their security practises. “If people aren’t willing to spend the money on a tape drive to save six months worth of work, why would they spend anymore on anti-virus software and security practices.”

Joey Roa, analyst for LightYear Capital in Calgary said most security professionals would not be shocked to learn users are not overly concerned about viruses and security. He did make a distinction between the business community and personal PC user, saying he felt companies were more pro-active because IT managers are concerned about data and data storage and understand the losses associated with downtime. “Users, left to their own devices, have to incur costs, or buy the software, keep it current and install it. That’s asking a lot from the consumer user base.” Consumers need to be made more aware that there is a real danger of losing data, he said.