Ex-employees: a growing IT security threat
By Dominique Georges, Ernst & Young Luxembourg
Business Review
December 2009
Act of vengeance from recently departed employees and a lack of adequate security budgets and resources are becoming major concerns for senior IT professionals, according to the 12th annual Ernst & Young 2009 Global Information Security Survey.
The survey, which canvassed nearly 1,900 senior executives in more than 60 countries, revealed that 75% of respondents are concerned with possible “reprisals” from employees who have recently left their organizations. Furthermore, 42% of respondents are already trying to understand the potential risks related to this issue and 26% are already taking steps to mitigate them.
Paul van Kessel, Global Leader of Ernst & Young’s Technology and Security Risk Services, comments: “With the economy still in recession, employees that are made redundant may feel resentful towards their previous employer in a number of ways that may affect the smooth operation of an organization. Increasingly, the employer’s IT system has become a common target and data theft is also prevalent.”
Budgets still a challenge
Allocating adequate budget to information security continues to be a challenge in 2009, with a total of 50% of respondents ranking this as a “high” (4) or “significant” (5) challenge; a very notable increase of 17 percentage points over 2008. This finding is also particularly striking in light of the fact that 40% of respondents indicated that they planned to increase their annual investment in information security as a percentage of total expenditures and 52% planned on maintaining the same level of spending.
Complying with regulations
The survey revealed that regulatory compliance is also a top priority for information security leaders and continues to be an important driver of information security improvements.
When asked how much their companies were spending on compliance efforts, 55% of respondents indicated that regulatory compliance costs were accounting for moderate to significant increases in their overall information security costs. Only 6% of respondents plan on spending less over the next 12 months on regulatory compliance.
Van Kessel explains: “Government and industry-led regulations have clearly resulted in organizations adopting a more-structured approach to information security. On the one hand, it is good news that becoming compliant is changing organizations’ security procedures or policies for the better. On the other hand, many organizations are still viewing compliance as a by-product rather than the primary driver of information security.”
Leveraging technology
Due to a heightening occurrence of data breaches, data protection is at the forefront of many information security leaders’ minds. Implementing or improving Data Leakage Prevention (“DLP”) technologies is the second-highest security priority in the coming 12 months, identified by 40% of respondents as one of their top three priorities. Data leakage prevention is the combination of tools and processes for identifying, monitoring and protecting sensitive data or information.
One of the most startling findings is how few companies are encrypting their laptops. Only 41% of respondents are currently encrypting them with only 17% planning to do so in the next year. This is surprising for a number of reasons: the number of breaches that have occurred due to loss or theft of laptops; the fact that the technology is readily available and affordable to implement; and that the impact to users during deployment is relatively low and should no longer be a barrier.
Van Kessel concludes: “Our survey shows that the levels of internal and external risks continue to increase. Managing information security risks requires an approach that is flexible and focused on what matters most to the organization, protecting critical information. Only by understanding the use of information within critical business processes can an organization, and in particular its information security function, truly begin to manage its security needs.”
*Dominique Georges is Executive Director, IT Risk & Assurance, Ernst & Young, Luxembourg
Posted on 14 December 2009
