Businesses are taking a piecemeal approach to information security, without back-up training and compliance checks. So warn business advisers Ernst & Young.
Businesses are taking a piecemeal approach to information security, without back-up training and compliance checks. So warn business advisers Ernst & Young in their global information security survey 2002. The firm is warning companies that financial and reputational vulnerability will rise as connectivity increases. Some respondents indicate alarming gaps in security management around business critical systems and data, Ernst & Young say. The firm is warning that only half, 53 per cent of companies have business continuity plans and under half the respondents have not agreed recovery timescales, which could mean wide expectation gaps in the event of business interruption. More alarming still, according to the survey, only half (49pc) of these plans have been tested. The survey finds that businesses are thinking foremost of improving their disaster response plans; after that come more monitoring of employees? IT use, and more outsourcing of IT. The speed of change, and the greater sophistication of cyber-attacks, are the number one challenge, the survey suggests. Ernst and Young say: ?Our survey indicates progress has been made in some areas, such as virus protection. However, an alarming amount of evidence remains that organisations are lacking fundamental management information about security breaches.? Employee awareness of information security is cited by 66 per cent of respondents as a barrier to achieving effective security, yet less than half of those surveyed have employee awareness and training programmes, to ensure security policies underpinning the technical solutions are met. Likewise, respondents speak of more concern about vulnerability to external attack (57pc) than internal (41pc). However Ernst & Young point out that most attacks on information originate from within organisations.
Jan Babiak, Managing Partner of Ernst & Young’s UK Information Security Practice says: ?Today’s business environment demands that business leaders understand, anticipate and manage information security and availability as a business-wide priority. Organisations perceived to have an irresponsible approach to information security will be increasingly penalised by the markets and potential business partners. An organisation’s information security strategy must extend beyond the technical solution to include sound consideration of the nature of the business risks and the culture. It must be informed and objective and must drive tactical and operational decisions in all business areas if it is to be of real value today. Getting this right can mean the difference between success and failure.”
Many organisations are not as well protected as they think they are, say KPMG. Their global information security survey 2002 found that only 60 per cent of respondents have any security violation reporting, for example. More financial sector (FS) organisations have implemented ISO 17799, the international standard on information security management, than organisations in general, and financial firms report fewer security problems. Most organisations admit to security breaches – in order, virus incidents, then unwanted e-mail intrusions; denial of service attacks; loss of software; and website intrusion and hacking.
