Survey throws spotlight on information security

Oct 31 2008 By Neil Austin for The Journal

THREATS to information security are still poorly understood by many businesses. Lapses in information security among UK businesses are poorly recorded and understood, reflecting a lack of understanding of the threat level that organisations face, according to the findings of PricewaterhouseCoopers’ annual Information Security Survey 2008.

The findings confirm many of the recent trends and developments in information security that UK organisations have experienced.

Although organisations continue to invest heavily in security tools such as software for intrusion detection, encryption and identity management, they are still struggling with their security processes, the study shows.

Most companies in the sample did not know where their data was located, 37% weren’t sure how many incidents they had had and more than half could not say what type of security incident had occurred or what had caused them.

Some 30% of companies had neither measured nor reviewed the effectiveness of their information security policies over the past year.

Confidence about the effective- ness of their organisation’s information security activities was also quite low among the UK executives polled.

Less than one in three said they were very confident that their information security was effective while even fewer, less than one in four, felt very confident about the effectiveness of their suppliers’ or business partners’ security.

The latter is perhaps not a surprising finding given the recent problems that some organisations have encountered over security lapses when third parties have handled their data.

There appears to be an overall misalignment with executive management’s view of security, causing many organisations to fail to capture the full value from their spending in this area.

Information has become the new currency of business. Its avail- ability, integrity and confidentiality are crucial components of a collaborative business.

The study also shows that although UK companies have clearly invested heavily in technology, when issues of information security are raised, there is a tendency to focus on purely technical safeguards. This finding is consistent with the results of the information security breaches survey which PricewaterhouseCoopers carried out for the department for Business, Enterprise & Regulatory Reform earlier this year, which showed that recognising informa- tion security as not just an IT issue is crucial to keeping data safe.

People, in particular employees and former employees, remain the biggest threat to information security. According to the survey employees and former employees were together responsible for 41% of the incidents (50% globally), although not all of those incidents were malicious.

The main impact of all incidents on UK companies were financial losses (40%), fraud (28%) intellect- ual property theft and brand/ reputation compromised (both 25%). Some 13% of the incidents cost UK companies between $100,000 and $500,000 (£57,000 to £287,000) each.

One of the best ways of improving security across a business is to match technology investments with a commitment to other key drivers: the critical business and security processes that support technology and the people that administer and use them. Also, lack of ownership and accountability for security is often a major contributor to breaches.

Information security should be a key consideration in any organisa- tion’s projects and programmes and the responsibilities for driving awareness and policy need to be joined up.

Looking ahead, the survey identified the key concerns for organisations as the protection of privacy, controlling access to data, outsourcing arrangements and third party relationships.

Information security is now seen as a high priority by UK companies and the adoption of risk-based approaches to compliance is starting to emerge as a key strategy.

For further information, please contact Neil Austin, risk assurance services director at PricewaterhouseCoopers LLP in Newcastle on (0191) 269-4029 or email neil.austin@uk.pwc.com www.pwc.co.uk/newcastle