EY: on the urgent need to transform IT security
23 July, 2013 - EY’s 15th annual Global Information Security Survey has disclosed that even though organizations are taking steps to enhance their information security capabilities, few have kept up with the ever-changing risk landscape. Short-term incremental changes and bolt-on solutions are not sufficient. An organization can close the gap by transforming its information security functions.
Keith Yuen, EY Greater China Advisory partner, says, “Implementing information security transformation to close the ever-growing gap between vulnerability and security does not require complex technology solutions. Rather, it requires leadership, as well as the commitment, capacity and courage to act — not a year or two from now, but today. ”
The survey findings highlight major information security challenges for organizations, such as:
- Organizations express deep concern over increased external threats. 77% of respondents indicate an increase of external threats.
- Security measures have not kept pace with the use of cloud computing. Cloud computing adoption has doubled from 2010 to 2012, but 38% of respondents indicated that they have not taken measures to mitigate such security risks.
- The use of mobile devices has increased dramatically but the deployment of security technology has fallen behind. 44% of the organizations surveyed allow the use of company or privately - owned tablet computers for business use, but only 40% of companies use encryption techniques for mobile devices.
- Popularization of social media may bring potential risks. 38% of respondents indicate that their organizations have not taken measures to address security risks related to social media.
- Gap expands due to a lack of security budget and capacity. 62% of respondents indicate that budget constraints are one of the main obstacles for information security effectiveness. Moreover, 44% of organizations say a lack of skilled resources in security management and execution hampers their ability to implement security goals.
The report concludes, “By fundamentally transforming their information security management strategy, organizations can respond effectively to existing security threats, as well as to security risks arising from emerging technologies.”
Escalating external threats
With escalating information security threats and increased information security incidents, organizations should recognize the risk environment is changing. Despite corporate security upgrades, the pace of external threats has picked up speed. In 2009, 41% of respondents noticed an increase in external attacks. By 2011, that number had leapt to 72%. In 2012, the number has risen to 77%. Examples of external threats include: hacking, espionage, organized crime and terrorism. Organizations have also noticed an increase of internal vulnerabilities. Nearly half of respondents (46%) say they have witnessed an increase and cite weak awareness of information security as significant obstacles to enhance successful information security initiatives.
Overwhelming trend of cloud-based services
New technologies have opened up tremendous opportunities for organizations, but have also created potential threats. Cloud computing is one of the main drivers of the business model innovation. Over the past two years, the number of organizations using cloud computing services has doubled. However, 38% of respondents indicate that their organizations have not taken measures to mitigate risks; such as not exercising stronger oversight over the contract management process for cloud service providers nor using encryption techniques.
Rising mobile application development
With the development of mobile internet, more employees are buying smartphones and data services. The integration of personal devices with company access can help lower purchasing costs, while increasing employee productivity and creativity. Yet, greater opportunity can open up to greater risk. Organizations must figure out how to configure their response to help employees blend work devices with their personal devices to avoid information security problems.
Yumin Lin, EY Greater China Advisory director, says, “In 2011, only 20% of organizations have encouraged BYOD activities in 2011, while in 2012, 44% of organizations now allow the use of company or privately-owned tablets within their organization. The results reveal an explosion of internal and external information exchange, making related security controls more problematic.” However, adopting security techniques and software in the fast-moving mobile computing market remain low. The survey finds that only 40% of organizations have applied encryption techniques on their mobile devices.
Burgeoning social media
In addition to many opportunities that the social media generate, there are numerous new challenges as well. Social media can quickly build an organization’s brand and expand its presence, and can just as quickly crush it. Challenges include data security, privacy concerns, regulatory and compliance requirements, and the impact on productivity. Our survey shows that 38% of organizations do not have a corresponding mechanism to address such risks. The result shows an increase of overall risk and limited capability to exploit social media channels in the future.
Urgent need to enhance information security resources and capability
From the perspective of shareholders and investors, information security should be one of their major concerns and corporate information security management deserves greater support. However, information security functions remain beset by a lack of information security resources and capability. 62% of respondents indicate that budget constraints are one of the main obstacles. Moreover, 44% of organizations say that a lack of skilled resources in security management and execution hampers their implementation of security goals.
Yumin Lin says, “For some organizations, security professionals, security maturity or security budgets could play a role in their decision-making. However, the patchwork or bolt-on solutions would only meet their short-term information security needs, which could bring other potential security risks. ”
Organizations have just enhanced their information security capacity with symptomatic and patchwork solutions, but they pay less attention to address information security threats in a more comprehensive manner. Over the past two years, only 8% of respondents have seen a decrease in security incidents. Hence, it is imperative to develop a strong security system. However, about 63% of respondents indicate that their organizations have no formal security architecture framework in place, while only 16% of respondents claim their information security functions do meet their business needs.
Looking ahead, Keith Yuen says, “Our survey findings suggest that there is a gap between the status quo of information security and goals of organizations, and this gap will be widened with the development of new governmental regulations and ever-changing security threats. If organizations do not take immediate steps to establish a comprehensive information security system, existing challenges and unknown potential risks will make the information security environment even worse. The only way an organization can close the gap would be to transform its information security functions.”
Keith Yuen adds, “Making such an adjustment does not require complex technology solutions. Rather, it requires leadership, commitments, capacity and determination to act. Do not just talk about what to do in the future, but focus on innovations for today. EY suggests that organizations should take such steps as linking its information security strategy to the business strategy, redesigning the architecture, executing the transformation sustainably and diving into the opportunities and risks of new technology. Accordingly, organizations could fundamentally shift how their information security functions can operate in order to close the ever-widening IT risk gap.”
EY Global Information Security Survey
The EY Global Information Security Survey has just entered its 15th year. We invited approximately 1,850 CIOs, CISOs, CFOs, CEOs and other information security executives from 64 countries including China to participate in the survey as the most comprehensive of its kind.
For more information, please visit www.ey.com/GISS.
- End -
EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.
EY refers to the global organization and may refer to one or more of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com.
This news release has been issued by EY, China, a part of the EY global network.
About EY Advisory Services
The relationship between risk and performance improvement is an increasingly complex and central business challenge, with business performance directly connected to the recognition and effective management of risk. Whether your focus is on business transformation or sustaining achievement, having the right advisors on your side can make all the difference. Our 25,000 advisory professionals form one of the broadest global advisory networks of any professional organization, delivering seasoned multi-disciplinary teams that work with our clients to deliver a powerful and superior client experience. We use proven, integrated methodologies to help you achieve your strategic priorities and make improvements that are sustainable for the longer term. We understand that to achieve your potential as an organization you require services that respond to your specific issues, so we bring our broad sector experience and deep subject matter knowledge to bear in a proactive and objective way. Above all, we are committed to measuring the gains and identifying where the strategy is delivering the value your business needs. It’s how EY makes a difference.