In-Depth

CIOs Lack Content Control; Spyware Guns for SMBs

Are content management systems up to SOX compliance? Also, how spyware affects small and medium-size businesses.

• By Mathew Schwartz
• 05/23/2006

CIOs Lack Content Control

The Sarbanes-Oxley Act (SOX) mandates publicly traded companies secure their sensitive financial information. Yet many CIOs think their content management systems (CMSes) aren’t up to the task.

According to a recent survey of 29 CIOs, each at a company that has invested $1 million or more in a CMS, 38 percent think content being edited or collaborated on is a security risk, and 28 percent fear what happens to information after it gets finalized and distributed.

Currently, three out of four CIOs say they simply want their CMS to do a better job of keeping content secure, from creation through distribution. Otherwise, how are they supposed to secure sensitive content?

Many companies are now tapping their content management systems to effect better compliance controls, notes Landon Lack, vice president of business development at SealedMedia, which commissioned the study. With regulators’ increased pressure on companies to better secure such information, he predicts the CMS will “play a larger role in extending policy-based content control.” That goes for information shared either internally or externally, with the CMS becoming “increasingly important as more and more content is shared across the value chain.”

While ensuring financial information regulated by SOX is restricted on a need-to-know basis, and that every change or access gets logged, CIOs also have several non-regulatory concerns. For example, many respondents noted the damage leaked information could cause to their company’s executives or stock price, and the potential harm to the bottom line from lost trade secrets.

Technology, however, isn’t the only impediment to better securing content. Currently, fewer than half of all employees at surveyed companies, on average, actually use the CMS. Furthermore, about half of all employees continue to store sensitive content outside the CMS. To get employees to use the CMS, so content security controls function as intended, CIOs must also pursue ways of changing their corporate culture.

Spyware Guns for SMBs

Many large enterprises now block spyware, spam, and other threats and nuisances. Yet such threats also affect small and medium-size businesses (SMBs), which overall have fewer resources to deal with them, and thus may be more attractive targets.

How bad is the SMB spyware problem? “More than 50 percent of small and medium-sized businesses experienced a spyware attack during the first quarter of 2006,” notes a recent report from anti-spyware software vendor Webroot Software.

For companies affected, the outcomes from such attacks included decreased system performance (for 63 percent); a reduction in employee productivity (56 percent); and a discernible impact on the business’s bottom line (34 percent). Theft of sensitive company information, and an inability to access critical systems, is also a concern.

According to Webroot, SMBs are “especially attractive to spyware criminals due to their often limited IT resources and lack of network security.” While 91 percent of enterprises have IT departments, only half of small businesses infected by spyware say they have an internal IT contingent.

In short, “larger enterprise organizations have extensive internal IT departments, deep revenue sources, and can publicly be held accountable to millions of stockholders and customers should a data security breach occur,” says David Moll, CEO of Webroot. Smaller companies, by contrast, often have no such safeguards. Many also lack an adequate disaster recovery plan. Hence for SMBs, a particularly nasty spyware attack “could easily dismantle an entire business.”

Related Articles:

• Anti-Spyware Shootout
• New York Sues Over Alleged Spyware