Companies may be spending more on their information security infrastructure, but they still aren't implementing, measuring and reviewing the relevant security and privacy policies. As a result, they're still not aware of how many security incidents they're experiencing even though there is more incident monitoring and reporting technology available.
The 2007 Global State of Information Security Survey (by PricewaterhouseCoopers, CIO and CSO magazines) shows that although companies are heavily invested in technology safeguards such as network firewalls, data back up, user passwords and spyware, their time investment in practical measures is low.
They do not audit or monitor user compliance with security policies and less than half of survey respondents have measured or reviewed the effectiveness of security polices and procedures in the last year.
Most companies do not even document enforcement procedures in their information security polices.
Angeli Hoekstra, national leader of PricewaterhouseCoopers SA Technology Advisory Services practice, says that companies have a great awareness of IT threats and invest in tools and safeguards to protect themselves.
“But having sound infrastructure is only half the solution. They need internal polices that ensure appropriate use and protection of corporate information systems.”
Hoekstra adds that it is also of no use having fantastic monitoring systems in place that gather data about the state of security in an organisation, without actually having anybody analysing the results and take action accordingly. This is a problem in South Africa, where qualified security specialists are difficult to find.
Another problem identified in the survey is that IT security spending is not always aligned with business objectives. Only 22% of respondents report their information security spending is completely in line with business goals. This gap will only start to close when compliance practices become more tightly aligned with broader risk management objectives.
On the positive side, though, Hoekstra states that there is an increased interest in Identity Management, a system of security measures and controls, which ensures that the right people get the right access to systems and data at the right time, in South Africa, which will align business goals with security spending – if implemented in the right way by involving business. Unfortunately, the broader business is not always included.
The study also reveals a lack of agreement between CEOs, CIOs and CSOs on security priorities and spending. The Chief Security Officer is focused on spending to ensure regulatory compliance whereas the Chief Executive and Information Officers have business continuity and disaster recovery as the top priorities for information spending.
Privacy of data information also remains a low focus for security executives. Only one third of respondents keep an accurate inventory of user data of the location and jurisdictions where data is stored. Only a quarter keep an inventory of all third parties using customer data.
Employees are now at the number one spot as the most likely source of an information security event, surpassing the hackers. Email and abused valid user accounts are cited as the primary methods for such attacks yet half the respondents fail to perform even the most basic people-related safeguard checks on personnel, such as background checks and monitoring employee Internet use.
Companies lacking these basic risk management tools are vulnerable to accidental internal threats coming from employee acts that are not even malicious or intentional.
Naeem Seedat, senior manager Technology Advisory Services, says that corporates are also struggling with extending security to third party users and do not know if outside users are in compliance with information security policies. When it comes to the information security of partners and suppliers to the business, 70% are not comfortably confident in the security measures that outside parties implement.
“An organisation’s partners can inadvertently become its biggest threat.”