Security Audits: Important but Rare
A new survey finds that there is little follow-up to security audits.
Securing data networks is important enough for the majority of companies to hire outside security firms to audit their systems but only about one in three bother to have their network audited every year, according to a new survey conducted by VanDyke Software and independent researcher Amplitude Research.
At time when enterprise companies, government agencies and Average Joes are doing everything they can to protect sensitive data, the survey reveals both an admirable willingness on the part of most IT departments to pony up for external expertise and an astonishing lack of follow through to keep data secure for the long haul.
The survey asked 350 IT executives and network administrators to describe why and how often they audit their data systems both internally and with assistance of external security contractors.
However, 72 percent of IT executives did acknowledge that an external security audit was "worthwhile." Of this group, only 35 percent conducted outside audits on an annual basis and 14 percent of companies said they can three years or more between audits.
Forty-three percent of those surveyed admitted that they should undergo security audits, both internal and external, more often.
"These results can provide encouragement to companies to conduct outside security audits or increase the frequency of audits if already being conducted," Amplitude Research CEO Steve Birnkrant said in a statement.
The report also found that of the 24 percent of companies that admitted to never subjecting their data systems to an external review, 47 percent said they felt they didn't need an audit. Another 24 percent blamed budget shortfalls and audit costs for passing.
Meanwhile, the vast majority (65 percent) said the main reason they did conduct external audits was to "show other parties that the company has been audited."
A similar survey released last week by Imperva and the Ponemon Institute found that 55 percent of U.S. and multinational companies are securing customer credit card data but aren't protecting other vital personal information such as Social Security numbers, phone numbers and bank account details.
Article courtesy of InternetNews.com.