Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Thursday, September 23, 2004

CEOs Stagnant on Security

CEOs aren’t doing enough to address the myriad IT security threats that loom large.  At least that’s what Ernst & Young concluded from survey results it released.

E&Y contacted 1,233 organizations representing 51 countries for its “Global Information Security Survey 2004,” a report meant to gauge enterprise perceptions of security.  “Perhaps the remarkable thing is how little attitudes, practices, and actions have changed since 1993—during a period when threats have increased significantly,” the report states.

The survey found that only 28 percent of global respondents noted “raising employee information security training or awareness” as a top 2004 initiative, despite the fact that a “lack of security awareness by users” was their top IT security obstacle.

Sixty-seven percent of the organizations surveyed view information security as being an important part of achieving their organizations’ overall business goals and objectives.

Employee misconduct involving information security was noted by 60 percent of respondents as being a high-level concern for organizations over the next 12 months.  They were noted by 68 percent of respondents as being responsible for an unexpected or unscheduled outage of a critical business system.

In contrast to the incidents reported from those external threats, incidents originating from former or current employee misconduct were noted by only 24 percent of respondents.

In 2003, 21 percent said the spending would increase significantly while 40 percent said it would increase slightly.

Earlier this year, research firm IDC reported 59 percent of its survey base indicated that IT security spending would increase.

Company chiefs are aware of the threats of information security breaches posed by their employees, but are failing to safeguard their assets against insider attack.  Keeping control of security will only get more difficult as organisations move toward increasingly decentralised business models through outsourcing and other external partnerships, Ernst & Young’s 2004 Information Security Survey warns.

“Companies can outsource their work, but they can’t outsource responsibility for its security,” Edwin Bennett, global director of Ernst & Young’s technology and security risk services, said.

“Fewer than one-third of those companies conduct a regular assessment of their IT providers to monitor compliance with information security policies - they are simply relying on trust.

Organisations have to demand higher levels of security from their business partners.” 

The Ernst & Young survey found that organisations remain focused on external threats such as viruses, while internal threats are consistently under-emphasised.  Companies will readily commit to technology purchases such as firewalls and virus protection, but are hesitant to assign priority to human capital.  And that leads to “damage from insiders’ misconduct, omissions, oversights, or an organizational culture that violates existing standards”.

More than 70 per cent of the 1,233 organizations questioned by Ernst & Young failed to list training and raising employee awareness of information security issues as a top initiative.

That’s just not good enough, it says.  “More could and should be done to transform the skills and awareness of their people, who often present the greatest opportunity for vulnerabilities - and convert them into its strongest layer of defence,” Ernst & Young’s Bennett concludes.

Posted on 09/23