Former employees a growing IT security threat
LONDON, MOSCOW, 10 November 2009 – Reprisals from recently departed employees and a lack of adequate security budgets and resources are becoming major concerns for senior IT professionals, according to the 12th annual Ernst & Young 2009 Global Information Security Survey.
The survey, which canvassed nearly 1,900 senior executives in more than 60 countries, revealed that 75% of respondents are concerned with possible reprisals from employees who have recently left their organizations. Furthermore, 42% of respondents are already trying to understand the potential risks related to this issue and 26% are already taking steps to mitigate them.
Paul van Kessel, Global Leader of Ernst & Young’s Technology and Security Risk Services, comments: “With the economy still in recession, employees that are made redundant may feel resentful towards their previous employer in a number of ways that may affect the smooth operation of an organization. Increasingly, the employer’s IT system has become a common target and data theft is also prevalent. It is paramount that companies undertake a specific risk assessment exercise to identify their potential exposure and put in place appropriate risk-based responses.”
Finding adequate budgets still a significant challenge
Allocating adequate budget to information security continues to be a challenge in 2009, with a total of 50% of respondents ranking this as a “high” (4) or “significant” (5) challenge; a very notable increase of 17 percentage points over 2008. This finding is also particularly striking in light of the fact that 40% of respondents indicated that they planned to increase their annual investment in information security as a percentage of total expenditures and 52% planned on maintaining the same level of spending.
Van Kessel continues: “Information security today already requires a lot more investment, as organizations race to catch up with an accelerating threat landscape, after a much delayed start. However, information security is not immune to external economic forces and senior IT professionals will need to improve efficiency and effectiveness while keeping spending to a minimum.”
Nikolay Samodaev, Ernst & Young Partner, the CIS Leader in the Technology Security and Risk Services (TSRS) points out: "In the context of cost efficiency measures introduced in line with more rigid corporate requirements to improve performance of each of the company's business lines, the most obvious solution is to apply a risk-oriented approach to manage information security".
Complying with regulations
The survey revealed that regulatory compliance is also a top priority for information security leaders and continues to be an important driver of information security improvements.
When asked how much their companies were spending on compliance efforts, 55% of respondents indicated that regulatory compliance costs were accounting for moderate to significant increases in their overall information security costs. Only 6% of respondents plan on spending less over the next 12 months on regulatory compliance.
Van Kessel explains: “Government and industry-led regulations have clearly resulted in organizations adopting a more-structured approach to information security. On the one hand, it is good news that becoming compliant is changing organizations’ security procedures or policies for the better. On the other hand, many organizations are still viewing compliance as a by-product rather than the primary driver of information security.”
Nikolay Samodaev adds: "Implementation of controls to ensure regulatory compliance (FZ No. 152 "Concerning Personal Data", Decree No. 242-P "Concerning Internal Controls in Credit Organizations and Banking Groups", etc.) is a really important agenda which represents one of the key areas of information security in Russia".
Due to a heightening occurrence of data breaches, data protection is at the forefront of many information security leaders’ minds. Implementing or improving Data Leakage Prevention (DLP) technologies is the second-highest security priority in the coming 12 months, identified by 40% of respondents as one of their top three priorities. Data leakage prevention is the combination of tools and processes for identifying, monitoring and protecting sensitive data or information.
One of the most startling findings is how few companies are encrypting their laptops. Only 41% of respondents are currently encrypting them with only 17% planning to do so in the next year. This is surprising for a number of reasons: the number of breaches that have occurred due to loss or theft of laptops; the fact that the technology is readily available and affordable to implement; and that the impact to users during deployment is relatively low and should no longer be a barrier.
Van Kessel concludes: “Our survey shows that the levels of internal and external risks continue to increase. Managing information security risks requires an approach that is flexible and focused on what matters most to the organization, protecting critical information. Only by understanding the use of information within critical business processes can an organization, and in particular its information security function, truly begin to manage its security needs.”
About the survey
The Ernst & Young 2009 Information Security Survey was developed with help from Ernst & Young’s assurance and advisory clients in more than 60 countries. The fieldwork was conducted between June and August 2009. The results were primarily collected through interviews held with executives from approximately 1,900 organizations across all major industries.
About Ernst & Young
Ernst & Young is a global leader in assurance, tax and legal, transaction and advisory services. Worldwide, our 144,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.
Ernst & Young expands its services and resources in accordance with clients’ needs throughout the CIS. 3,400 professionals work at 16 offices throughout the CIS in Moscow, St. Petersburg, Novosibirsk, Ekaterinburg, Togliatti, Yuzhno-Sakhalinsk, Almaty, Astana, Atyrau, Baku, Kyiv, Donetsk, Tashkent, Tbilisi, Yerevan and Minsk.
For more information, please refer to www.ey.com.