June 01, 2005

Top-Level Security Efforts Lacking

Although executives are well aware of the risks surrounding the security of their internal information, companies around the globe still fail to safeguard themselves from potential threats. Worse, these companies are not expressing the severity of potential threats to their employees, according to a 2004 Ernst & Young (New York) Global Information Security Survey. The report focuses on responses from more than 1,230 organizations - 15 percent from the banking industry - across 51 countries.

Furthermore, the study reveals that while companies are focused on external threats, they underemphasize internal threats. These risks become more severe as companies pursue outsourcing and other external partnerships that cannot be controlled easily within their four walls, the report says. However, few companies are aware of where threats exist within the enterprise.

Close to 70 percent of respondents' board of directors failed to receive a quarterly report about the organization's information security status, the study says. And, a mere 28 percent of participants reported that raising employee information security training or awareness was a top initiative in 2004.

"Fewer than one-third of companies conduct a regular assessment of compliance of their IT providers against internal security policies," said Edwin Bennett, global director of Ernst & Young's technology and risk services, in a statement. "They are simply relying on trust."

Companies must instill a security-conscious culture, the report recommends. However, success depends on support from top-level executives. Management buy-in is a prerequisite to changing the way organizations approach information security. Still, only 20 percent of surveyed companies currently view information security as a CEO-level priority (see chart at left), according to the study.

"More should and could be done to transform the skills and awareness of their people, who often present the greatest opportunities for vulnerability," Bennett added. "By converting them, companies will gain their strongest layer of defense."