[ISN] Global firms 'lax on information security'
isn at c4i.org
Thu Oct 7 05:50:01 EDT 2004
October 7, 2004
Global corporations are failing to safeguard their information
networks against potent threats from viruses, worms and especially
their own employees, according to a report unveiled here on Wednesday
by consultancy firm Ernst and Young.
The Global Information Security Survey said while corporate leaders
were increasingly aware of the risks to their information security
from people within their organisations they are not acting on that
"More than 70 percent of the companies surveyed failed to list
training and raising employee awareness about information security
issues as a top initiative," the report said.
Ernst and Young polled more than 1233 organisations from across 70
countries. There were 69 respondents from India making it the second
largest country sample.
"While organisations remain focused on external threats such as
viruses the internal threats are constantly being under-emphasised,"
said Terry Thomas, partner, Ernst and Young's Risk and Business
"People and organisational issues are equally important. Because many
insider incidents are based on concealment, organisations are often
unaware that they are being victimised," Thomas told reporters.
The report said as corporations are increasingly outsourcing business
to thrid party vendors outside their region it was becoming more
difficult to retain control over the security of their information.
"The more likely and most lethal threats are those originating from
within an organisation's growing extended enterprise," it said.
The report said 80 percent of the organisations surveyed failed to
conduct regular assessment of their IT outsourcer's compliance with
the host organisation's security regulatory requirements.
Most organisations, it said, felt that information security had no
value when "there is no visible attack.
"This perception has remained unchanged over the decade that Ernst and
Young has been conducting the survey. The topmost obstacle to
effective information security today is the lack of security awareness
by users," said Thomas.
Although 67 percent of the organisations claimed information security
was "very important ... persistent gaps continue to exist in the
amount of diligence and resources that are deployed to improve the
degree of protection.
"Information security threats are more lethal today. We expect that
incidents, particularly internal ones, will proliferate unless senior
management makes information security a core management function,"
In India, 91 percent of respondents said they had anti-virus systems
installed and 56 percent had specific anti-spam protection for their
However, less than half of respondents from India and globally
provided employees with ongoing training in security and control, the
Indian organisations, it said, had cited "availability of skilled
staff" to implement security as their top problem with "user
awareness" in second position.
"India is emerging as a favourite destination for outsourcing but
organisations are not really understanding the security implications,"
"They rely mostly on faith and trust rather than addressing hard
facts. Employee misconduct is ranked as the number two worry in the
world but it is third on the list in India," he said.
More information about the ISN