CEOs aren’t doing enough to address the myriad IT security threats that loom large. At least that’s what
Ernst & Young concluded from survey results it released today.
E&Y contacted 1,233 organizations representing 51 countries for its
“Global Information Security Survey 2004,” a report meant to gauge enterprise
perceptions of security. In the 11-year history of the report, not much has changed.
“Perhaps the remarkable thing is how little attitudes, practices, and actions have changed since 1993
— during a period when threats have increased significantly,” the report states.
The survey found that only 28 percent of global respondents noted “raising employee information security
training or awareness” as a top 2004 initiative, despite the fact that a “lack of security awareness by users”
was their top IT security obstacle.
Sixty-seven percent of the organizations surveyed view information security as being an important part
of achieving their organizations’ overall business goals and objectives. This is an 11 percent increase
over last year.
Employee misconduct involving information security was noted by 60 percent of respondents as being a
high-level concern for organizations over the next 12 months. The survey also found that the No. 1 one cause for
business system outages was hardware failure at 72 percent of which 87 percent originated within the organization
itself (as opposed to be external).
“While the public’s attention remains focused upon the external threats,
companies face far greater damage from insiders’ misconduct, omissions, oversights,
or an organizational culture that violates existing standards,” Edwin Bennett, global director of
Ernst & Young’s Technology and Security Risk Services, said in a statement.
“Because many insider incidents are based on concealment, organizations often are unaware they’re being victimized,”
Bennett continued. “Too many organizations feel that information security has no value when there
is no visible attack. This is a perception that has remained unchanged over the decade that
Ernst & Young has been conducting this survey.”
Visible attacks in the form of viruses, Trojans and worms were the No. 1 high-level concern
among the survey base, coming in at 77 percent. They were noted by 68
percent of respondents as being responsible for an unexpected or unscheduled outage of a critical business system.
In contrast to the incidents reported from those external threats, incidents originating from former or current
employee misconduct were noted by only 24 percent of respondents.
In E&Y’s view, the buck should stop at the CEO’s desk. The survey found
that only 20 percent of organizations view IT security as a CEO-level priority. E&Y advocates that the CEO should
set the tone for a security-conscious culture.
“Companies can transform their view of information security, and approach it as a way to gain competitive advantage
and preserve shareholder value, rather than merely consider it a necessary cost of doing business,” Bennett said.
“However, this transformation must be led by a visible shift in attitude from the CEO and the board. More could and
should be done to transform the skills and awareness of their people who often present the greatest opportunity
for vulnerabilities and convert them into its strongest layer of defense.”
Respondents indicated they would not increase spending on IT security as much as in previous years.
In 2003, 21 percent said the spending would increase significantly while 40 percent said it would
increase slightly. In this year’s study, only 17 percent
said spending would increase significantly and 52 percent thought it would increase only slightly.
Earlier this year, research firm IDC
percent of its survey base indicated that IT security spending would increase. According to CompTIA,
when organizations invest in IT security, it usually results in fewer incidents.
In survey results
published last April, the firm found
that organizations reported 19.7 percent fewer security incidents when at least 25 percent of their staff
had IT security training.