Security or the Lack Thereof

A survey conducted by Avira Operations GmbH & Co. finds user attitudes about security remain lax, with less than 40 percent of end users claiming to follow security policies. Meanwhile, a survey by Ernst & Young Global Ltd. (E&Y) shows that IT risk management remains an issue, with particular exposures in the areas of data loss prevention and mobile computing. 

Focal Points:

• A recent survey by Avira of 990 end users finds less than 40 percent of end users profess to follow security policies at work while around 35 percent do not even consider it important to adhere to security policies. One-fourth of the respondents do not think about security at all and believe the total burden belongs to the system administrators. Only 39 percent of those who took the survey claim to comply with their company's security policies and procedures.
• E&Y conducted its 14th global information security survey this year, with input from 1,700 participants in 52 countries and all industry sectors.  Amongst its key findings was the belief that as organizations digitize and move to the cloud or become borderless the risk landscape changes. 72 percent of the respondents see an increasing level of risk due to external threats resulting from the change while 46 percent of the respondents see a similar increasing level of risk due to internal vulnerabilities. 84 percent of the survey takers indicated they have an IT risk management program or are considering one within the next 12 months. A mere 49 percent claimed their information security function is meeting the needs of the organization. For the second consecutive year respondents have placed business continuity as their top funding priority. However, only 56 percent of companies have an approved business continuity management (BCM) program in place while 18 percent have no BCM program in place at all.
• E&Y also found that 66 percent of respondents have not implemented data loss prevention tools while 26 percent do not have a policy defined for classification and handling of sensitive data as a control for data leakage risk. While as many as 80 percent of the respondents are using or considering tablet computers for the enterprise, only 57 percent have made policy adjustments to mitigate risk from mobile computing. On the other hand, the survey shows the adoption of smartphones and tablets ranked second-highest on the list of technology challenges perceived as most significant. Additionally, 61 percent of the respondents are currently evaluating, planning, or using cloud computing services within the next 12 months while 53 percent have implemented limited or no access to social media sites as a control to mitigate risks.

Experton Group believes security persists as IT's weakest link, primarily due to shortcomings in culture, concern, governance, policies and/or procedures. Too many management and employees remain unconcerned by business continuity, data loss, or other security risk exposures, even though security events constantly appear in the news. Security is one of the many "moments of truth"    that can damage an enterprise's image, undermine customer loyalty, impact revenues, or drive up the cost of doing business. With company boundaries disappearing and ownership of devices that access corporate applications and data shifting beyond the organization's control, business and IT executives must shore up their security exposures and make it a boardroom issue. IT executives should make information security an integral part of their product and service delivery and work with business executives to change the culture so that security is everyone's ongoing concern.