London: In the rush to "digitise" their businesses with new technologies and move into the increasingly borderless world of cloud computing and social media, organisations are developing a growing gap between business needs and the ability to tackle new and complex security threats, according to Ernst & Young's 14th annual Global Information Security Survey released today.
- 72% of companies see increasing level of risk due to external threats, yet only 12% discuss security issues in their regular board meetings
- Only 49% of respondents state that their current information security function is meeting the needs of the organisation, leaving companies vulnerable to attack
- 61% of respondents are using or considering the use of cloud computing services and this function is now the top security funding priority for the coming 12 months
Published the day before the opening of the UK government's global conference on cyber security, the survey of 1,700 organisations globally found that 72% of respondents are seeing an increasing level of risk due to the significant growth in external threats, such as hacking and data theft. At the same time, however, only about a third of respondents have updated their information security strategy in the past 12 months.
With 61% of organisations using or considering the use of cloud computing services within the next year, a growth of 16% year-on-year, the threat of security breaches has become an after-thought in the rush to adapt to the rapidly changing landscape.
Jane Cannon, Ernst & Young security and resilience partner comments: "It is estimated that cyber security attacks cost the UK economy £27 billion a year. Confronted with diminishing borders, and changing business and IT models including cloud services, business leaders urgently need to ask themselves how to respond to new and emerging risks and whether their strategy meets their needs."
"The focus must move from short-term fixes to a more holistic approach integrated with long-range strategic corporate goals."
Budgets must be spent in the right areas
It is encouraging that 59% of respondents plan on increasing their information security budgets in the coming 12 months and shows a trend which goes against the current climate of cutbacks within organisations. However, only 48% believe information security strategies adequately address risk and only 51% have documented strategies in place.
An increasing number of organisations are offering support for employee-owned devices. With 46% of respondents stating that there are increased risks due to internal vulnerabilities, it is critical that organisations are aware of the risks posed by "bring your own devices" and other similar policies.
Building trust in the cloud
Respondents named cloud computing as their top information security funding priority for the coming 12 months. Despite the compelling story for cloud adoption, many organisations are still unclear of the implications of cloud and are increasing their efforts to better understand the impact of its adoption and the risks.
48% of respondents listed the implementation of cloud computing as a difficult or very difficult challenge, and more than half have not implemented any controls to mitigate the risks associated with cloud computing. The most frequently taken measure is stronger oversight on the contract management process with cloud providers, but even this is only done by 20% of respondents, indicating a high and possibly misguided level of trust.
Top level priority
The survey shows that only 12% of respondents are presenting information security topics at each board meeting.
Rather more worrying is less than half (49%) of survey respondents stated that their information security function is meeting the needs of the organisation. Specifically in the UK, the main reason cited by respondents for this is a lack of skilled resources (23% in the UK, compared to 13% globally). With this level of risk posed to companies' reputations and operations, business leaders need to take action.
Steve Holt, financial services partner for Ernst & Young explains: "This shows that within the UK we have a significant shortage of skilled workers in this field when compared to our international counterparts. Urgent action is required to tackle this to ensure that UK based companies can continue to defend themselves against these growing threats."
"Data loss is on the rise. Our results show that 66% of companies have still not implemented data leakage solutions. Given customer expectation that companies will protect their personal data, more needs to be done in plugging the leaks."
Most respondents (72%) claimed that external malicious attacks were their top risk. These attacks may be fuelled by information obtained through the use of social media that was used to send targeted phishing messages to specific individuals.
To help address potential risks posed by social media, organisations seem to be adopting a hard-line response. More than half (53%) have responded by blocking access to sites rather than embracing the change and adopting enterprise-wide measures.
Jane Cannon concludes: "A pragmatic and pro-active response rather than a reactive one is required. Information security needs to be more visible in the boardroom with a clearly defined strategy that will support the business in the cloud and elsewhere. Most companies still have a long way to go to make this a reality."
"In order to effectively manage IT risks in general, organisations need to get a broad and comprehensive view of the entire IT risk landscape. This holistic perspective will provide companies with a starting point to help identify and manage current IT risks and challenges, as well as those that may evolve over time."