Media Release - 16 December 2009
Contact: Clare Farrant
Communications Manager. Ernst & Young
09 300 7065 0274 899 700
Information security risk management top priority for 2010
Companies need to take a more information-centric view of security to support today’s connected businesses and increasingly mobile and global workforces, according to the 12th annual Ernst & Young 2009 Global Information Security Survey.
“Improving information security risk management is the top priority identified in the survey with 50% of respondent indicating that they plan to spend more in this area over the next year,” says Paul Mahan, Ernst & Young Partner in Technology and Security Risk Services. “Effective use of that spend means wrapping security around the flow of information and knowing how the information is used to support critical business processes. With that knowledge on board organisations can justify the investment and successfully manage risk,” says Mahan
Information-centric security becomes even more important as companies opt to virtualise or outsource their IT functions to get better value for money, reduce their total cost of ownership and lower their overall carbon footprint, continues Mahan.
“Once outsourcing comes into play companies need to understand what their service providers are doing with their information, what threats they are exposed to and what security measures are in place,” says Mahan. “Companies need to ensure they ask the right questions and have the right clauses in their contracts to manage the associated risks.”
The survey, which canvassed nearly 1,900 senior executives in more than 60 countries also revealed that 75% of respondents are concerned with possible reprisals from employees who have recently left their organizations. Furthermore, 42% of respondents are already trying to understand the potential risks related to this issue and 26% are taking steps to mitigate them.
Paul Mahan comments: “The level of risk continues to rise in some part due to economic forces. With a slow recovery worldwide, IT systems have become a target and data and identity theft is widespread. This is happening at a time when business is increasingly relying on IT. It is more important than ever to undertake a specific risk assessment and manage the risk.”
Due to the heightened occurrence of data breaches, implementing or improving Data Leakage Prevention (DLP) technologies is the second-highest security priority in the coming 12 months, identified by 40% of respondents as one of their top three priorities. Data leakage prevention is the combination of tools and processes for identifying, monitoring and protecting sensitive data or information.
“One of the most startling findings is how few companies are encrypting their mobile devices. The survey revealed that only 41% of respondents are currently encrypting mobile devices with only 17% planning to do so in the next year. Sensitive information relayed to laptops or email capable phones for example is unsecured,” says Mahan.
“This is surprising for a number of reasons: the number of breaches that have occurred due to loss or theft of laptops; the fact that the technology is readily available and affordable to implement; and that the impact to users during deployment is relatively low and should no longer be a barrier,” says Mahan.
Finding adequate budget still a significant challenge
Allocating adequate budget to information security continues to be a challenge in 2009, with a total of 50% of respondents ranking this as a “high” (4) or “significant” (5) challenge; a very notable increase of 17 percentage points over 2008. This finding is also particularly striking in light of the fact that 40% of respondents indicated that they planned to increase their annual investment in information security as a percentage of total expenditures and 52% planned on maintaining the same level of spending.
Complying with regulations
The survey revealed that regulatory compliance is also a top priority for information security leaders and continues to be an important driver of information security improvements.
When asked how much their companies were spending on compliance efforts, 55% of respondents indicated that regulatory compliance costs were accounting for moderate to significant increases in their overall information security costs. Only 6% of respondents plan on spending less over the next 12 months on regulatory compliance.
About the survey
The Ernst & Young 2009 Information Security Survey was developed with help from Ernst & Young’s assurance and advisory clients in more than 60 countries. The fieldwork was conducted between June and August 2009. The results were primarily collected through interviews held with executives from approximately 1,900 organizations across all major industries.
The full report is available on request or at www.ey.com
About Ernst & Young
Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 144,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.
For more information, please visit www.ey.com.
Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
This news release has been issued by EYGM Limited, a member of the global Ernst & Young organization that also does not provide any services to clients.