72% of companies worldwide at risk from threats to information security

That's why more than half of these companies plan to increase their information security budgets in the coming 12 months.

According to Ernst & Young’s 14th annual Global Information Security Survey, as companies rush to “digitize” their business with new technologies and move into the increasingly borderless world of cloud computing and social media, global organizations face a growing gap between their business needs and the ability to tackle new and complex security threats.

The survey of 1,700 organizations globally found that 72% of the respondents see a rising level of risk due to increased external threats. At the same time, more than half (59%) of them plan to increase their information security budgets in the coming 12 months, focusing on areas including business continuity capabilities (47%), data leakage and data loss prevention (28%), compliance monitoring (21%), and identity and access management (21%).

Gerry Chng, IT Risk and Assurance Partner, Ernst & Young Advisory Pte. Ltd., comments: “More and more major businesses and industries are dependent on technology to facilitate their business processes. With the increased collaboration with upstream and downstream partners, data resides not just within the confines of the organization. Confronted with diminishing borders, cloud services, and increasing support of personal tablets for information mobility, companies are asking themselves how to respond to new and emerging risks and whether their strategy needs to be
revisited. The focus must move from short-term fixes to a more holistic approach integrated with
long-range strategic corporate goals.”

Information security not yet a boardroom priority
At the same time, indications from the survey suggest that information security may not be as high on the list of priorities in the boardroom as it should be. Only 51% of the survey stated they have a documented information security strategy. In fact, information security is not a visible agenda in the boardroom for most companies. Our survey indicated that only 12% of the respondents present information security topics at each board meeting and fewer than half (49%) of respondents stated that their information security function is meeting the needs of the organization.

Gerry Chng says: “A pragmatic and proactive response rather than a reactive one is required. Information security needs to be more visible in the board room with a clearly defined strategy that will support the business. Most companies still have a long way to go to make this a reality.

Security must be carefully planned and take into consideration the practicality of the controls that considers the IT operations. There needs to be buy-in from the business functions, and support needs to come from the top.”

Mobile technology and social media
With organizations increasingly supporting initiatives for employees to use personal tablets to access corporate information, it was natural that more than half the survey respondents ranked this adoption the second-highest on the list of technology challenges. Policy adjustments and awareness programs are the top two measures used to address risks posed by this new mobile technology. The adoption of security techniques and software, however, is still low. For instance, encryption techniques are used by fewer than half (47%) of the global organizations.

The massive popularity and growth of social media has also threatened the IT risk landscape. Social media risks include the introduction of malicious software lurking within social networks, hacked accounts that are used to solicit information, and the release of confidential or negative
company information or personal data.

To address potential risks posed by social media, organizations seem to be adopting a hard-line response. A majority (53%) of the global organizations respond by blocking access to sites rather
than embracing the change and adopting enterprise-wide measures.

Gerry Chng says: “There are existing solutions in the market that support the secure access of information on personal smartphones and tablets. Organizations should evaluate whether these solutions meet their needs, rather than using traditional channels such as web interfaces and opening up email access via the web as an option. This helps to satisfy the demands from the users to have increased mobility, while protecting the enterprise from the risks of doing so.

Along with such technological improvements, the organization also needs to ramp up its security awareness program so that users are aware of the risks. The traditional paradigm of security
within a perimeter is no longer valid. Organizations should embrace the change, and make security an agenda in everyone’s mind.”