Former employees a growing IT security threat - Ernst & Young - United Kingdom

Former employees a growing IT security threat

London 9 November 2009: Reprisals from recently departed employees and a lack of adequate security budgets and resources are becoming major concerns for senior IT professionals, according to the Ernst & Young 2009 Global Information Security Survey.

The survey, which canvassed the views of 1,900 senior executives in more than 60 countries, revealed that 75% of respondents are concerned with possible reprisals from employees who have recently left their organisations. Furthermore, 42% of respondents are already trying to understand the potential risks related to this issue and 26% are already taking steps to mitigate them. 

Richard Brown, partner in IT risk advisory at Ernst & Young, comments: “With the economy still in recession, employees that are made redundant may feel resentful towards their previous employer in a number of ways that may affect the smooth operation of an organisation. Increasingly, the employer’s IT system has become a common target and data theft is also prevalent. It is paramount that companies undertake a specific risk assessment exercise to identify their potential exposure and put in place appropriate risk-based responses.”

Finding adequate budgets still a significant challenge 
Allocating adequate budget to information security continues to be a challenge in 2009, with a total of 50% of respondents ranking this as a significant challenge – a 17% increase compared to last year. This is particularly striking given 40% of respondents indicated that they plan to increase their annual investment in information security as a percentage of total expenditure and 52% plan on maintaining the same level of spending.

Brown continues, “Information security today already requires a lot more investment, as organisations race to catch up with an accelerating threat landscape, after a much delayed start. However, information security is not immune to external economic forces and senior IT professionals will need to improve efficiency and effectiveness while keeping spending to a minimum.”

Complying with regulations 
The survey revealed that regulatory compliance is also a top priority for information security leaders and continues to be an important driver of information security improvements.

When asked how much their companies were spending on compliance efforts, 55% of respondents indicated that regulatory compliance costs were accounting for moderate to significant increases in their overall information security costs. Only 6% of respondents plan on spending less over the next 12 months on regulatory compliance. 

Brown explains, “Government and industry-led regulations have clearly resulted in organisations adopting a more-structured approach to information security. On the one hand, it is good news that becoming compliant is changing organisations’ security procedures or policies for the better. On the other hand, many organisations are still viewing compliance as a by-product rather than the primary driver of information security.”

Leveraging technology
Due to a heightening occurrence of data breaches, data protection is at the forefront of many information security leaders’ minds. Implementing or improving Data Leakage Prevention (DLP) technologies is the second-highest security priority in the coming 12 months, identified by 40% of respondents as one of their top three priorities. Data leakage prevention is the combination of tools and processes for identifying, monitoring and protecting sensitive data or information.

One of the most startling findings is how few companies are encrypting their laptops. Only 41% of respondents are currently encrypting them with only 17% planning to do so in the next year. This is surprising for a number of reasons: the number of breaches that have occurred due to loss or theft of laptops; the fact that the technology is readily available and affordable to implement; and that the impact to users during deployment is relatively low and should no longer be a barrier.

Brown concludes: “Our survey shows that the levels of internal and external risks continue to increase. Managing information security risks requires an approach that is flexible and focused on what matters most to the organisation, protecting critical information. Only by understanding the use of information within critical business processes can an organization, and in particular its information security function, truly begin to manage its security needs.”