Security's pathetic while management's apathetic: Ernst & Young

The body said in its Global Information Security Survey 2004 "quite a few organisations aren't 'doing security right'".

Ernst & Young said its survey -- which involved interviews with more than 1,230 organisations in 51 countries -- found that "lack of security awareness" amongst employees was the top rated obstacle by the majority of organisations.

However, only 28 percent of the respondents listed "security training or awareness" as a number one initiative for 2004.

"The will to commit resources ... is not reflected in outward action," states the report, as "no amount of technology can reduce the human dimension." According to the survey, "persistent gaps" continue to emerge in the level of diligence and the resources purchased by a company to ensure a minimum level security, "particularly in security awareness and training".

"Management is hesitant to assign priority to human capital but will readily commit to technology purchases," states the survey, which also reveals that less than half of organisations globally provide employees with ongoing training in security and controls.

Internal threats are also under-emphasised as an IT security threat, according to the survey, which states that although organisations may focus on external threats such as hackers and viruses "the most lethal threats are those originating from within".

"The fact that internal incidents don't garner media scrutiny isn't because they don't happen," the survey said.

According to the results, organisations rated "employee misconduct involving information systems" as a "distant second" behind external virus threats as the biggest security concern in an organisation.

"We expect that incidents - particularly internal ones - will proliferate unless senior management makes information security a core management and governance function," stated the survey.

The survey found that close to 70 percent of the responding organisations' board of directors did not receive quarterly reports on the status of company information security, while only 20 percent of respondents agreed that information technology security was a CEO-level concern.

The lack of organisations to monitor security with outsourcers is also becoming an "ever-growing risk", according to the survey, which states that "senior management is more trusting than prudent".

"They [management] may feel, wrongly so, that their organisation is adequately protected, when in reality their significant technology investments are undermined by any number of process flaws," it said.

Around 80 percent of respondents failed to conduct regular security assessments of outsourcers, according to the survey, to ensure that security regulations are complied with. The survey also revealed that 70 percent of organisations worldwide did not regularly assess outsourcers' compliance with the organisation's policy on information technology security.

The survey stated that many of the responding organisations should not feel at ease with their level of information technology protection.

"The number of unaddressed security areas suggests that many organisations should not feel comfortable and secure, since they neither know themselves or their enemies very well," it said.

• Related stories

• Alerts

Add your opinion

I seem to come across articles ...Anonymous -- 08/10/04

I seem to come across articles such as this one over and over again with the same message but from different consulting firms emphasising on the need of security outsourcing. Although there is some truth out there regarding that but it just seems to be more of a marketing tool and advertisement of their organisation. Some of these major consulting firms are not even that technically knowledgeable in security as they claim to be.

• Reply to comment
• Reply to story
• Report offensive content

Maybe people are trusting and ...Anonymous -- 08/10/04

Maybe people are trusting and don't like the thought of living in fear by locking everything down tight with expensive gizmos.

People can break into my house. I installed security grills as a basic measurement but they can easily get in throught the roof. Should I allocate a vast amount of money in securing the building down so tight that it takes 5 minutes to get in? Or just accept that it should be good enough to stop most attacks, with only my most valuable stuff locked securely away.

• Reply to comment
• Reply to story
• Report offensive content

Business is too focused on pro ...Anonymous -- 09/10/04

Business is too focused on profit margins being maintained. While your sleeping who peeping?

The Internet shpulf have been born with paranoia in mind of administrators and legislators in the first place.

How do you undo what has already been done?

A global approach and agreement is needed as to the security practices, laws and punishment for abuse of the internet and the privledges it brings. All comopanies and individuals need to unite to battle this war against those with no concience.

The Internet is no longer value for a lot of businesses or individuals becuase of the the lack in security and lack of urgency in dealing with it!

• Reply to comment
• Reply to story
• Report offensive content

"Advisory and research bo ...Anonymous -- 11/10/04

"Advisory and research body Ernst & Young"??? Ernst & Young are not an "advisory and research body", they are one of the world's four largest accounting and consultancy firms, and as the first poster below comments are after consultancy business, which is why they instigate reports of this nature. That's not to say that their report is necessarily incorrect, but to reprint their claims wholesale without any reference to their own vested interest is extremely sloppy journalism.

• Reply to comment
• Reply to story
• Report offensive content

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials