New Developments

In New Developments, internal auditors will find information about the most recent IT and audit research reports and survey results; new IT, security, and privacy legislation; and other news items of importance to auditors.

Survey Discusses Top Security Issues

A new survey by Positive Networks, a provider of remote access technologies, unveils the top security issues network security professionals and systems administrators should be prepared to address in 2008. IT Security and Authentication: Key Concerns in 2008 (PDF, 315 KB) summarizes the responses of more than 300 U.S. IT professionals in different industry sectors including health care, financial services, and retail on security issues such as authentication, personal security preferences, data protection, and identity theft. Among the survey's main findings is the perception that many organizations do not have the appropriate security practices in place.

According to survey results, 20 percent of respondents admit to a breach that included some loss of sensitive data or allowed access to restricted resources, while 70 percent suggest that their current practices for authentication are not secure. In addition, 52 percent indicate that their company is extremely focused on providing more security around sensitive data, and a majority of IT professionals surveyed — 84 percent — say that security access to corporate resources, such as network access, e-mail, and company data, is a moderate or high concern. What's more, nearly half of respondents — 48 percent — state their current focus on IT security is higher than in previous years.

In terms of authentication, 79 percent of respondents rate their company's current authentication systems as somewhat secure or worse. One of the reasons for this finding is the prevalence of passwords as the only means of authentication. For example, more than half of survey participants still rely only on passwords to authenticate user access to corporate resources, and more than 70 percent do not employ two-factor authentication or have implemented this on a limited capacity. Consequently, 70 percent of IT professionals do not believe usernames and passwords are adequately securing IT assets, a belief mirrored by the presence of stricter data security requirements in regulations such as the Payment Card Industry Data Security Standard, U.S. Health Insurance Portability and Accountability Act, and the U.S. Gramm-Leach-Bliley Act.

The survey also asked IT professionals about their perspectives on securing access to their own personal and financial information. The vast majority — 84 percent — ranked their level of concern as moderate to high, and nearly 80 percent say that usernames and passwords do not provide adequate security for accessing their own personal and financial information online. Furthermore, one in five respondents have experienced identity theft personally, even though most take precautions such as changing their passwords at least once a month, using strong passwords, and not using the same password for multiple log ins.

"Because IT professionals have large concerns with personal and corporate data breaches, two-factor authentication will become more widely adopted in 2008," the report concludes. "The innovations of new technologies will make user adoption easier to manage and less expensive for companies to implement."

IT Security and Authentication can be downloaded free of charge from the Positive Network's Web site (PDF, 315 KB).