A world survey of how Small to Medium sized financial and business services companies and their clients handle IT security puts Asia Pacific at the bottom of the list behind Europe, Middle East and Africa (EMEA) and the Americas, a conference in Sydney has been told.
Financial firms in EMEA pay more attention to making IT security procedures for themselves and their clients than their counterparts in the Americas or Asia Pacific regions, the survey of some 600 companies has found.
BKR International, an association of accounting and business advisory firms with more than 300 offices worldwide, and MWR InfoSecurity, a British IT security consultancy, carried out the survey due to increased concerns about hacking and a lack of IT security worldwide. The survey featured small to medium sized companies with a turnover of between US$1.5million and US$100 million.
Don Timmins the worldwide Chairman of BKR International, said: “With global IT attacks against business on the increase we wanted to look at how accounting and business advisory firms, as well as their clients, looked at IT security, and we are very surprised at the results.”
He added: “Professional companies look after increasing amounts of third party data but it appears that not enough attention is being paid to IT security measures that will safeguard that information. While American companies spend more time on compliance and documentation it appears that this information is often not implemented since user-awareness training of team members in the Americas companies, and the percentage of money assigned to IT security, is poor when compared to Europe, the Middle East and Africa. However, in the Asia Pacific region it is even worse.”
Timmins added: “Employee contracts, third party contracts and letters of engagement, stipulating IT security policies and non-compliance in Asia Pacific, are lower than both EMEA and the Americas, with only 17 per cent of companies in the Americas reporting that team members had regular IT security awareness training and a shocking 11pc only in the Asia Pacific region. This compared to a more reassuring figure of 44pc in EMEA.”
The whole idea of client data protection appears to be far more important in the Americas, with 76pc of companies indicating such, with EMEA lagging some 12pc behind and Asia Pacific again at the bottom of the list with only 54pc. However, companies in all three areas spent little time in reviewing IT security policy.
Stephen Hamlet, Executive Director of the BKR International EMEA region, said: “IT security compliance in EMEA is worse than anywhere else with only 32pc of companies questioned saying it was of high priority, compared to 46pc in Asia Pacific and 57pc in the Americas. In EMEA, however, 78pc of companies thought ‘reputation’, ie: being seen to spend money on IT security, was a high priority, with only 53pc of companies in Asia Pacific believing that reputation was an issue and 47pc in the Americas.”
He added: “It would appear that companies in EMEA like to be seen to be IT secure to win over clients, while companies in America are more concerned about keeping secure in order to meet compliance regulations and avoid litigation. Strangely, companies in the Asia Pacific region seemed unsure as to what their main drivers were, with a mixed response.”
Generally, companies in the Americas have more confidence about how they are dealing with IT security issues since they scored higher on such questions as “Are you confident in your ability to identify malicious activity?” and “ to respond in a timely manner to an identified breach” and “to effectively mitigate the impact of an identified breach.”
Timmins said: “Almost 50pc of companies in the Americas still reported that they had been subject to a malicious attack over the last year compared to less than 40pc in EMEA and only 19pc in Asia Pacific.”
The confidence within American and Asia Pacific companies is reflected in the fact that only 20pc and 17pc respectively believe that they will be exposed in the coming year, compared to 33pc in EMEA. Hamlet said: “SMEs maintaining not only their own data but that of third parties must be sure to be even more secure. This is especially important when data is travelling all over the world. Data and information passed on to a local company looking after a subsidiary operation could jeopardise the whole international security and potentially have vast financial implications.”
Timmins added: “Our survey has highlighted differences between the Americas, EMEA, and Asia Pacific regions, and has shown that where perhaps, in the Americas, companies are confident in that they have firm policies and published documentation, adhering to national regulation, companies in EMEA were more vigilant to ensure their current employees are kept up to date and made aware by regular training and by stipulations in employee contracts, as well as in third party contracts and letters of engagement.”
Stephen Roger, Executive Director of the BKR International Asia Pacific region, said: “Companies who have yet to experience a major catastrophe may be taking the ‘it won’t happen to me’ approach; yet to be ‘reactionary’ rather than ‘preventative’ to something so serious, significant and recently prevalent, once the damage is done, may be too late.”
Stephen added: “Companies in the Asia Pacific region need to immediately implement regular information security awareness training to keep all stakeholders’ interests well protected.”
Ian Shaw, Managing Director at MWR InfoSecurity, said: “This has been a fascinating survey and one which we should all pay serious attention to. From an IT security perspective it shows that there are many companies who are taking the IT security threat seriously.”
He added: “The differences seen in the use of information security awareness training for employees were intriguing. In EMEA this figure was 40pc, while in the Americas just 17pc of responding organisations had adopted awareness training. Given the effectiveness of this approach, especially considering the recent targeted social engineering attacks, it is difficult to explain the low figure in either region. But the higher figure in EMEA may be down to the use of differing standard with ISO 27001 (based on the former ISO 17799 standard) having a greater history in EMEA, being based on the original British BS 7799 standard which makes the case of awareness training and education. But this does not explain the smaller difference in the publication of a formal Information Security Policy. Here 55pc of organisations surveyed in the Americas responded that they had published a firm policy, compared with 47pc in EMEA.”
The evidence
• In the Americas, more than half of companies reported having a published information security policy (against only 34pc in EMEA and 25pc in Asia Pacific), but only 17pc of those companies in the Americas have regular information security user-awareness training and a shocking 11% in Asia Pacific (compared to 44pc in EMEA)
• Less than half of companies in the Americas had employee contracts including stipulations/clauses concerning information security policies and non-compliance (compared to almost 60pc in EMEA and just over 60pc in Asia Pacific)
• Less than 50pc of companies in the Americas and Asia Pacific regions had third-party supplier contracts/letters of engagement including stipulations/clauses concerning information security policies and non-compliance (compared to almost 60% in EMEA)
• More than half of those companies in the Americas and the Asia Pacific regions were confident in their organisation’s ability to identify, respond in a timely manner to, and effectively mitigate the impact of a security breach (the companies in EMEA were less confident with on all three questions, with affirmative responses of between 33pc and 41pc)
• In the Americas, the highest drivers for IT security were compliance, and customer data protection. In EMEA, the highest drivers were reputation and customer data protection. In Asia Pacific, there were no strong indicators, with no consistency in responses from companies surveyed.
