Execs rate protection of IP higher than customer data: Ponemon

Execs rate protection of IP higher than customer data: Ponemon

Summary: A new global data security survey by the Ponemon Institute has found Australia’s IT security professionals believe that company executives would prefer to spend money on the protection of intellectual property over customer data security.

TOPICS: Security, Australia

A new survey by the Ponemon Institute has shown that, according to Australia's IT security professionals, company executives would spend more money on IP security concerns rather than customer information breaches, despite the latter occurring more frequently.

The study, Exposing the Cybersecurity Cracks: Australia Part 2, found that although there were more known data security breaches involving customer information, breaches concerning intellectual property took precedence when it came to increasing investment in security infrastructure.

The research showed that, of the top three events respondents said would compel executive teams to allocate more money to digital security initiatives, "exfiltration of intellectual property" came in at number one with 65 percent of respondents naming it in their top three, well over the event of a data breach involving customers' information, which drew the attention of 58 percent of respondents.

Meanwhile, almost 90 percent of respondents said they personally knew another security professional whose company had sensitive or confidential data stolen as a result of an insider threat, with 67 percent saying that the data stolen by the insider was customer information, and 62 percent of respondents saying that intellectual property was stolen.

This is the second report of a two-part study undertaken by the Ponemon Institute, sponsored by security firm, Websense.

The study surveyed 200 IT and IT security practitioners in Australia with an average of nine years experience in the field. The study was also conducted in another 14 countries, including the United States, China, and Singapore.

According to the survey's findings, a third of data security teams never speak with their executive team about security. Of those that did, 22 percent spoke to executives about security "semi-annually".

A third of the respondents said that if they had the resources to do it, they would completely overhaul their current enterprise security system. However, only 38 percent if respondents said they were planning to make significant investments or adjustments to their security defences over the next 12 months.

For Gerry Tucker, Websence Australia and New Zealand country manager, the survey highlights a lack of communication between IT professionals and company executives.

"This highlights that a lack of communication, education and inadequate security systems is making it possible for cybercriminals to attack organizations across the globe," said Tucker.

"It's not surprising that many security professionals are disappointed with the level of protection their current solutions provide, as many still use legacy solutions that cannot disrupt the kill chain to prevent data theft," he said.

Topics: Security, Australia


Leon covers enterprise technology and start-ups from ZDNet's Sydney newsroom.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Erroneous conclusions?

    This is not a communication problem, it is a culture problem. Sure, there is a breakdown in communication, but that is a symptom - there's no point raising issues of inadequate security when experience tells you it could negatively affect your career, and nothing will change anyway. This isn't a private sector problem either, it happens in government just as much.

    The problem is accountability - in the case of most Australian companies and government departments, breaches of customer data do not result in crippling or even onerous fines, they do not result in a mass exodus of customers from their services. Overhauling company wide security, even doing proper security evaluations and audits is expensive work that requires skilled people or specialist organisations that don't come cheap, so ignoring the problem is significantly less expensive. It's a game of risk, much like having insurance, except the perceived 'loss' mostly doesn't impact your company - it's only customer data after all, the bottom line will only take a minor dip, 'we can live with that'.

    You want to fix this problem? Change the culture at the executive level. Legislate massive, near-crippling fines and personal, legal liability for executives overseeing customer data storage - if everything that could be done was, then they met their legal obligations, but if they failed to secure their systems and ignored warnings by technical staff then they get jail time for breaches.

    I bet there won't be a 'communication problem' between security staff and executives after that ;-)