- Majority of respondents indicate that their security budgets will increase
- Information security not yet a boardroom priority
- Gap between business needs and ability to tackle security threats
According to Ernst & Young’s 14th annual Global Information Security Survey, as companies rush to “digitize” their business with new technologies and move into the increasingly borderless world of cloud computing and social media, global organizations face a growing gap between their business needs and the ability to tackle new and complex security threats.
The survey of 1,700 organizations globally found that 72% of the respondents see a rising level of risk due to increased external threats. At the same time, more than half (59%) of them plan to increase their information security budgets in the coming 12 months, focusing on areas including business continuity capabilities (47%), data leakage and data loss prevention (28%), compliance monitoring (21%), and identity and access management (21%).
Gerry Chng, IT Risk and Assurance Partner, Ernst & Young Advisory Pte. Ltd., comments: “More and more major businesses and industries are dependent on technology to facilitate their business processes. With the increased collaboration with upstream and downstream partners, data resides not just within the confines of the organization. Confronted with diminishing borders, cloud services, and increasing support of personal tablets for information mobility, companies are asking themselves how to respond to new and emerging risks and whether their strategy needs to be revisited. The focus must move from short-term fixes to a more holistic approach integrated with long-range strategic corporate goals.”
Information security not yet a boardroom priority
At the same time, indications from the survey suggest that information security may not be as high on the list of priorities in the boardroom as it should be. Only 51% of the survey stated they have a documented information security strategy. In fact, information security is not a visible agenda in the boardroom for most companies. Our survey indicated that only 12% of the respondents present information security topics at each board meeting and fewer than half (49%) of respondents stated that their information security function is meeting the needs of the organization.
Gerry Chng says: “A pragmatic and proactive response rather than a reactive one is required. Information security needs to be more visible in the board room with a clearly defined strategy that will support the business. Most companies still have a long way to go to make this a reality. Security must be carefully planned and take into consideration the practicality of the controls that considers the IT operations. There needs to be buy-in from the business functions, and support needs to come from the top.”
Mobile technology and social media
With organizations increasingly supporting initiatives for employees to use personal tablets to access corporate information, it was natural that more than half the survey respondents ranked this adoption the second-highest on the list of technology challenges. Policy adjustments and awareness programs are the top two measures used to address risks posed by this new mobile technology. The adoption of security techniques and software, however, is still low. For instance, encryption techniques are used by fewer than half (47%) of the global organizations.
The massive popularity and growth of social media has also threatened the IT risk landscape. Social media risks include the introduction of malicious software lurking within social networks, hacked accounts that are used to solicit information, and the release of confidential or negative company information or personal data.
To address potential risks posed by social media, organizations seem to be adopting a hard-line response. A majority (53%) of the global organizations respond by blocking access to sites rather than embracing the change and adopting enterprise-wide measures.
Gerry Chng says: “There are existing solutions in the market that support the secure access of information on personal smartphones and tablets. Organizations should evaluate whether these solutions meet their needs, rather than using traditional channels such as web interfaces and opening up email access via the web as an option. This helps to satisfy the demands from the users to have increased mobility, while protecting the enterprise from the risks of doing so. Along with such technological improvements, the organization also needs to ramp up its security awareness program so that users are aware of the risks. The traditional paradigm of security within a perimeter is no longer valid. Organizations should embrace the change, and make security an agenda in everyone’s mind.”
Building trust in the cloud
Despite the compelling story for cloud adoption, many organizations are still unclear of the implications of cloud computing. From the survey, 48% of the global respondents said that the implementation of cloud computing is a difficult challenge, and more than half of them (52%) have not implemented any controls to mitigate the risks associated with cloud computing.
The most frequently taken measure is stronger oversight on the contract management process with cloud providers, but even this is only done by 22% of respondents.
Gerry Chng adds: “There is generally a slow uptake of public cloud services for larger enterprises due to risk concerns. Such services may make sense for a small company as the utility model of the cloud means that these companies do not need to have the capital and operational expenses to maintain their own infrastructure and applications. For larger organizations, the risks of compromising the integrity of sensitive data far outweighs the benefits they may reap from cloud computing. The concept of cloud computing is centered around easy access to data, without the need for knowledge on where the data is stored and how the cloud works. This lack of specific details makes it difficult for organizations to assess the risks to their data residing in the cloud. In the absence of clear guidance, many organizations seem to be making ill-informed decisions, either moving to the cloud prematurely and without appropriately considering the associated risks, or avoiding it altogether. Although many organizations have moved to the cloud, many have done so reluctantly.”
“In order to effectively manage IT risks in general, organizations need to get a broad and comprehensive view of the entire IT risk landscape. This holistic perspective will provide companies with a starting point to help identify and manage current IT risks and challenges, as well as those that may evolve over time,” concludes Gerry Chng.
Notes to editors:
Ernst & Young’s 2010 Global Information Security Survey was conducted between June and August 2011. Nearly 1,700 organizations in 52 countries and across all major industries participated.
About Ernst & Young
Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 152,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.
Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com.
This news release has been issued by EYGM Limited, a member of the global Ernst & Young organization that also does not provide any services to clients.