Lapses in information security among UK businesses are poorly recorded and understood, reflecting a lack of understanding of the threat level that organisations face, according to the findings of PricewaterhouseCoopers annual Global State of Information Security Survey 2008. The study – the largest of its kind and now in its sixth year – was conducted by PricewaterhouseCoopers LLP in conjunction with CIO and CSOmagazines.
The survey polled 7,000 information technology executives from 119 countries (over 300 from the UK) across all industries on the challenges of protecting corporate information assets. The global findings confirm many of the recent trends and developments in information security that UK organisations have experienced.
Although organisations continue to invest heavily in security tools such as software for intrusion detection, encryption and identity management, they are still struggling with their security processes, the study shows. Most UK companies in the sample did not know where their data was located, 37% weren’t sure how many incidents they had had and more than half could not say what type of security incident had occurred or what had caused them. Some 30% of companies had neither measured nor reviewed the effectiveness of their information security policies over the past year.
Confidence about the effectiveness of their organisation’s information security activities was also quite low among the UK executives polled Less than one in three said they were very confident that their information security was effective while even fewer, less than one in four, felt very confident about the effectiveness of their suppliers’ or business partners’ security. The latter is perhaps not a surprising finding given the recent problems that some organisations have encountered over security lapses when third parties have handled their data.
Neil Austin, director in the information security group of PricewaterhouseCoopers LLP said:
“There appears to be an overall misalignment with executive management’s view of security, causing many organisations to fail to capture the full value from their spending in this area. Information has become the new currency of business. Its availability, integrity and confidentiality are crucial components of a collaborative business.”
The study also shows that although UK companies have clearly invested heavily in technology, when issues of information security are raised, there is a tendency to focus on purely technical safeguards. This finding is consistent with the results of the information security breaches survey which PricewaterhouseCoopers carried out for the department for Business, Enterprise & Regulatory Reform earlier this year, which showed that recognising information security as not just an IT issue is crucial to keeping data safe.
People, in particular employees and former employees, remain the biggest threat to information security. According to the survey employees and former employees were together responsible for 41% of the incidents (50% globally), although not all of those incidents were malicious. The main impact of all incidents on UK companies were financial losses (40%), fraud (28%) intellectual property theft and brand/reputation compromised (both 25%). Some 13% of the incidents cost UK companies between $100,000 and $500,000 (£57,000 to £287,000) each.
Neil Austin added:
“One of the best ways of improving security across a business is to match technology investments with a commitment to other key drivers: the critical business and security processes that support technology and the people that administer and use them. Also, lack of ownership and accountability for security is often a major contributor to breaches. Information security should be a key consideration in any organisation’s projects and programmes and the responsibilities for driving awareness and policy need to be joined up.”
Looking ahead, the survey identified the key concerns for organisations as the protection of privacy, controlling access to data, outsourcing arrangements and third party relationships. Information security is now seen as a high priority by UK companies and the adoption of risk-based approaches to compliance is starting to emerge as a key strategy.
Contact details
Email:
Neil Austin
Tel:
+44 (0)191 269 4029
© 2008 PricewaterhouseCoopers. All rights reserved. PricewaterhouseCoopers refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.
Home
News and issues