Shanghai Daily reports:

China lags behind global levels of information security and the gap is in the policy environment and business awareness - not in technology, PricewaterhouseCoopers said yesterday in Shanghai.

Chinese firms lack protection of privacy, intellectual property and internal control, according to the fifth annual Global State of Information Security Study 2007 jointly conducted by PWC, CIO Magazine and CSO Magazine.

The respondents to the survey were readers of CIO and CSO magazines (the acronyms are for chief information officer and chief security officer) and PwC customers. There were about 800 survey participants from China and Hong Kong. The people surveyed work for enterprises with 1000+ employees. Not exactly a representative sample, but nevertheless it does capture the dismal data security conditions here.

Charlie Fu, the PwC partner who presented the findings, blamed a “…lack of related laws, such as data privacy protection, and a regulated business environment in China”. I believe he meant (the article isn’t quite clear) that without regulations such as privacy laws and industry standards, companies won’t make the investments to protect data.

I disagree, as the survey data he quotes would give any senior manager more than enough motivation:

A lack of maturity in China’s information security safeguards has impacted business, with the highest percentages reported for financial losses (23 percent) and intellectual property theft (18 percent) being in China, according to the survey.

A “lack of maturity” can be read as poor administration and management indifference. This isn’t a problem of talent or technology. China has both in spades. The onus is on management. Obviously managers aren’t going to be IT experts running around troubleshooting a firewall. They are, however, ultimately responsible for ensuring the security of their company’s digital assets.

This doesn’t require an advanced degree in rocket science, just a reasonable effort to understand what IT resources are important. Managers need to set out goals and objectives in the form of policies to guide IT staff and/or services vendors. They, in turn, take that guidance and document, design, and implement appropriate solutions. Periodically management should bring a third party in to provide an independent audit.

If all this sounds a little too onerous, consider what PwC had to say about the most probable threat to data assets (overall, not just in China):

This year marks the first time “employees” beat out “hackers” as the most likely source of a security incident. Executives in the security field, with the most visibility into incidents, were even more likely to name employees as the source.

They rightly point out that this is not necessarily due to some sudden surge in nefarious employees, rather that organizations are investigating security incidents more closely.

The central point of the survey is that management’s awareness of security has risen, but the response is still limited to another budget line item for some security solution. Managers have only a vague idea of what is important and little or no understanding of what’s being done (and why) to mitigate the risk. The result is an organization blissfully oblivious to threats until some breach precipitates a panicked spending spree.

So the next time you hear someone fretting over their security or agonizing over their intellectual property it’s a pretty safe bet they do have problems. If a manager doesn’t know what’s going on, it’s pretty sure that the IT staff doesn’t know either.

ShareThis