Reprisals from recently departed employees and a lack of adequate security budgets and resources are becoming major concerns for senior IT professionals, according to the 12th annual Ernst & Young 2009 Global Information Security Survey (GISS).
The survey, which canvassed nearly 1 900 senior executives in more than 60 countries, showed that 75% of respondents said they are concerned with the possible reprisal from employees who have left their organisations. In adition, 42% of respondents are already trying to understand the potential risks related to this issue and 26% are already taking steps to mitigate them.
Paul van Kessel, global leader of Ernst & Young’s Technology and Security Risk Services, comments: “With the economy still in recession, employees that are made redundant may feel resentful towards their previous employer in a number of ways that may affect the smooth operation of an organisation. Increasingly, the employer’s IT system has become a common target and data theft is also prevalent. It is paramount that companies undertake a specific risk assessment exercise to identify their potential exposure and put in place appropriate risk-based responses.”
Yvette du Toit, senior manager Risk Advisory Services at Ernst & Young South Africa, points out that while this country was spared the worst effects of the global recession, there is no doubt that the slowdown has cost jobs. “The premise of the likelihood of disgruntled ex-employees therefore holds; it is a risk which applies to companies in this country as much as it does to international organisations,” she says.
Allocating adequate budget to information security continues to be a challenge in 2009, with a total of 50% of respondents ranking this as a ‘high’ (4) or ‘significant’ (5) challenge; this is a very notable increase of 17 percentage points over 2008. This finding is also particularly striking in light of the fact that 40% of respondents indicated that they planned to increase their annual investment in information security as a percentage of total expenditures and 52% planned on maintaining the same level of spending.
Van Kessel continues: “Information security today already requires a lot more investment, as organisations race to catch up with an accelerating threat landscape, after a much delayed start. However, information security is not immune to external economic forces and senior IT professionals will need to improve efficiency and effectiveness while keeping spending to a minimum.”
The survey revealed that regulatory compliance is also a top priority for information security leaders and continues to be an important driver of information security improvements.
When asked how much their companies were spending on compliance efforts, 55% of respondents indicated that regulatory compliance costs were accounting for moderate to significant increases in their overall information security costs. Only 6% of respondents plan on spending less over the next 12 months on regulatory compliance.
Du Toit says regulations designed to ensure a good base for organisational security are having the desired affect: “Government and industry-led regulations are delivering a generally better-structured approach to information security. On the one hand, it is good news that becoming compliant is changing security procedures or policies for the better. On the other hand, many organisations are still viewing compliance as a by-product rather than the primary driver of information security.”
Due to a heightening occurrence of data breaches, data protection is at the forefront of many information security leaders’ minds. Implementing or improving Data Leakage Prevention (DLP) technologies is the second-highest security priority in the coming 12 months, identified by 40% of respondents as one of their top three priorities. Data leakage prevention is the combination of tools and processes for identifying, monitoring and protecting sensitive data or information.
One of the most startling findings is how few companies are encrypting their notebooks. Only 41% of respondents are encrypting them with 17% planning to do so in the next year. This is surprising for a number of reasons: the number of breaches that have occurred due to loss or theft of laptops; the fact that the technology is readily available and affordable to implement; and that the impact to users during deployment is relatively low and should no longer be a barrier.
Du Toit says the GISS indicates that while security continues to enjoy a reasonable focus from the IT department, the levels of internal and external risks continue to increase. “Managing information security risks effectively requires an approach that is flexible and focused on what matters most to the organisation: protecting critical information. Only by understanding the use of information within critical business processes can the information security function achieve the goal of soundly mitigating risk.”