Fighting to close the gap:
2012 Global Information Security Survey
While the vast majority of Australian organisations believe the risk environment has changed significantly as a result of rising security threats, 63% of organisations say that the number of actual security incidents has remained the same in the past 12 months.
Thirty-two percent say the number of security incidents affecting their organisation has increased, while only six per cent have seen a drop.
The findings are part of Ernst & Young’s Global Information Security Survey 2012 report released on 31 October. The report, now in its fifteenth year, is based on responses from more than 1,850 CIOs, CISOs and other information security executives in 64 countries.
Our Asia-Pacific Information Security Leader Mike Trovato said a much higher proportion of Australian companies (91%) had an increasing risk from external attacks compared to the global average (74%). However, this was not the only source of concern for Australian organisations, with 45% reporting that internal vulnerabilities were also on the rise.
Gap widening between security measures in place to protect organisations and the level of threats
“There is no doubt that the gap between the current level of information security measures and what they actually need to protect organisations is widening. However, there is no single issue creating the gap. Rather, it’s a combination of complex, intersecting issues that are driving the need for organisations to get their house in order. We’re at a point in time where the need to develop a robust security architecture framework as well as all-encompassing ongoing monitoring system has never been greater.” Mike Trovato, Asia-Pacific Security Leader, Ernst & Young
Outdated information security controls or architecture topped the list of vulnerabilities that had most increased organisations’ risk exposure over the past 12 months. This was followed by careless or unaware employees, cyber attacks to disrupt or deface the organisation and cyber attacks to steal financial information. Social media ranked close to the bottom of the list of threats.
Cloud computing uptake doubles since 2010
Cloud computing continues to be one of the main drivers of business model innovation, with the numbers of organisations using the cloud almost doubling in the past two years.
- 80% of organisations are using some form of cloud-computing or have it under evaluation, while 20% have not made the jump as yet.
- 38% of organisations have not taken any measures to mitigate the risks of cloud computing, such as stronger oversight on the contract management process for cloud providers, the use of encryption techniques, or third party security assessment.
More key findings of the Global Information Security Survey (Australia) 2012 include:
- Only 2% of organisations disallow the use of all tablets/smartphones for business use altogether, while 36% only allow the use of company-owned devices and disallow use of personal devices.
- Most organisations have made policy adjustments (62%), implemented new mobile device management software (57%) and encryption techniques (41%) to mitigate potential risks of using smartphones or tablets.
Roadmap to success
Our Global Information Security Survey 2012 highlights that traditional approaches to information security management have not worked. We have developed four key steps toward fundamental information security function change:
- Link information security strategy to the business strategy
- Redesign the architecture
- Execute the transformation successfully and sustainably
- Deep dive into the opportunities and risks of new technologies
The 2012 Global Information Security Survey (GISS) report is available from your Ernst & Young contact or on the web at www.ey.com/GISS