Businesses 'do no grasp IT risks'

[InfoSec News <isn () C4I ORG>]

http://news.ft.com/ft/gx.cgi/ftc?pagename=View&c=Article&cid=FT36N4F6MIC&live=true&tagid=IXLMS1QTICC&subheading=global%20economy

By Andrew Bolger, Insurance Correspondent, in London
Published: January 30 2001 23:08GMT | Last Updated: January 30 2001

Businesses do not adequately understand the risks posed by technology,
have difficulty identifying potential risks and lack the tools to
manage them effectively, according to a survey of 1,500 US and
European executives, released on Wednesday by St Paul, the
Minnesota-based global insurer.

The survey of executives responsible for their companies' insurance
coverage also indicates that although they take pains to protect
computer security, companies are less prepared for new liability risks
associated with information technology and e-commerce.

"The survey indicates that companies rely chiefly on systems-based
protection, such as anti-virus software and computer firewalls, to
prevent losses from technology risks," said Kae Lovaas, a
vice-president of St Paul.

"But that's not enough. Exposures involving intellectual property,
privacy and first-party risks from computer fraud, business disruption
and denial of service pose significant financial risk to companies
doing business on the internet."

Mr Lovaas said that compared with more traditional property-casualty
risks, companies were poorly prepared for the risks posed by
technology and e-commerce.

"Not only are companies unsure of the risks presented by their
business operations, they also have substantial difficulty
understanding what types and levels of insurance coverage they need,"
he said.

Schulman, Ronca & Bucuvalas, the independent New York-based opinion
research firm, conducted the survey. The companies surveyed covered a
broad range of industries, as well as additional samplings of
financial services and high-technology companies. In the US, insurance
agents and brokers were also surveyed.

The survey finds computer, internet and e-commerce risks are
considered among the most important that companies will face in the
next few years. Among US corporate risk managers and their insurance
agents and brokers, such issues rank second only to employment-related
risks. In Europe, risk managers consider technology risks the leading
concern.

However, only 25 per cent of US and 30 per cent of European companies
surveyed had risk management committees or other formal structures to
identify and monitor technology risk. Of those companies with such a
committee or structure, only half - or about 13 per cent of
respondents - felt it was effective. Only about three in 10 risk
managers had reviewed the potential technological risks posed by a
merger or acquisition involving their companies.

"In essence, there is a leadership opportunity on this issue in many
companies," Mr Lovaas said. "Senior management has the responsibility
to take the lead and foster a partnership approach between their IT
departments and risk management functions."

Nearly all US and European companies have taken similar steps to
protect themselves from technology-related risks, such as installing
anti-virus software and firewalls, establishing standard security
procedures, and auditing the security of their systems. But only six
in 10 companies have implemented employee-training programmes to lower
their technology risk.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".