Print
Discuss
Send to friend
RSS feeds
First, the good news. Nearly two out of three (63%) information managers expect spending on infosecurity to stay the same or even increase despite their companies remaining cash-strapped in the recession.
According to the seventh annual Global State of Information Security survey published by Pricewaterhouse-Coopers last October, information security budgets are safer than anticipated, at least for now.
With just 12% of respondents believing that spending on information security will be cut over the next 12 months, up from 5% last year, William Beer, director of PwC’s One Security practice, said: “The recession means all budgets are under pressure, but many companies know that now is not the time to slash their security spend.”
Jon Hayton, a director in PwC’s forensic investigations team, said the findings matched what PwC was hearing from its clients in the UK. “It is good that companies have chosen not to slash security budgets,” he said, “but good security practice needs to be embedded into the DNA of a business, not bolted on as an afterthought. Unfortunately there are many organisations where this is still the case and it makes their security performance very fragile. When it goes, it can go very quickly. I have seen good security practices fall apart in months.”
And now for the bad news. UK companies and security professionals lag in their awareness and initiatives on infosecurity issues, with almost half of UK executives (49%) polled in the survey saying they did not know how many security incidents their organisations had experienced over the preceding 12 months, compared with just 7% of their Chinese counterparts.
losing ground
The report suggests that British businesses and public sector organisations are losing ground to many of their major overseas trading partners when it comes to protecting and securing data – a crucial asset.
It says that Asian organisations have a deeper understanding about where the threats to their assets are coming from than Western ones and are likely to know not only the number of security incidents logged in the past 12 months but also the source and type of the attack.
This knowledge advantage will make it easier for them to take a more effective risk-based approach to security investments in the coming year, and so realise a better return on investment for the business.
The list of new investments in the infosecurity area is topped by the increasing use of biometrics, especially in China, where 69% of respondents reported using it to protect information, compared with just 22% in the UK.
And there’s more bad news. Only 37% of UK respondents said their organisation had an accurate inventory of where sensitive data was stored. Just 37% employed a chief information security officer, and less than half (47%) said they had a disaster recovery plan; both figures were even higher in the US.
Experts agreed that while budgets were stable globally, information security departments were under increased pressure to “perform” and provide companies with a tangible return on their investment.
Other findings were that 40% of respondents thought that threats to the security of their companies’ data had increased over the last year and, of those, a similar proportion said risks had increased due to employee lay-offs as a result of the recession.
When asked what they saw as their biggest priorities, information managers highlighted the need for an increased focus on data protection and a more intelligent prioritisation of security investments based on risk.
Beer said: “There is a host of new and emerging threats, from complex malware to attacks from cyber-criminals and electronic espionage, all of which can result in material loss and reputational damage.
“We’re also aware that, at a senior level, UK executives are extremely anxious about moving to digital business models, where core information assets, such as customer data and intellectual property, may be shared with business partners and outsourced suppliers, often in other countries. This adds another dimension to the risks involved.”
Social media worries
A staggering 80% of organisations worldwide have no policies for social networking. The PwC survey spotted growth in the number of employees accessing social networks from work and the risks this behaviour brings with it. According to 40% of respondents, their organisations have security technologies that support Web 2.0-based exchanges such as social networks, blogs and wikis. And while around a third audit and monitor postings to external blogs or social networking sites, only 23% have security policies that address this.
Statistics from international law firm Fulbright & Jaworski on enterprise-level use of social media illustrate the concern. The law firm’s 2009 litigation trends survey shows that information from social media sites is increasingly demanded as part of regulatory investigations. The survey showed 52% of UK organisations restrict employee access to social media sites like Facebook, MySpace, Bebo, LinkedIn, Plaxo, Twitter and YouTube.
According to Fulbright, this may be because 18% of those surveyed in the UK reported that in the last year they had been required to produce information from one or more of these sites as part of an e-disclosure request. In the US, the figure was 4%.
“Businesses need to wake up to the risks. It’s no longer enough just to block employee access to certain sites; these tools are pervasive and staff will always find a way round any restrictions,” said Craig Carpenter, vice president general counsel at Recommind, the information risk management solutions provider.
He added: “Too many UK organisations are still labouring under the misapprehension that e-disclosure is an American problem, but it increasingly affects businesses all over the world. With information from social media sites now being required – on top of the already ever expanding volume of email, documents and other electronically stored information – the potential cost and time implications for dealing with such requests are huge.”
integration, not prohibition
Recommind advises UK companies not to restrict employee access to social media sites but to ensure these tools and applications are integrated into corporate information and risk management policies. This way, businesses will be well prepared should they be required to produce information from these sites within the tight deadlines often set by investigators or the court.
In tune with Fulbright’s report, PwC respondents said that the complexity of the regulatory environment was one of their chief concerns for information security to provide return on investment.
On a positive note, experts welcomed the rapid convergence in perspective – the same survey last year revealed a 16% misalignment between information security policies and business objectives. n
Archana Venkatraman
Gathering the data
PwC in association with CIO and CSO magazines conducted the international survey of their clients and readers between 22 April and 15 June 2009. Results are based on responses from more than 7,200 chief information professionals, vice presidents and directors of IT and information security from 130 countries. The UK sample involved 455 respondents.
Tags: Security, Malware, Cybercriminals
del.icio.us
Digg this
reddit!
