12:22 PM
A Human Approach
Though CEOs are aware of internal threats to information security, most still concentrate their resources on preventing external attacks, according to the 2004 Ernst & Young (New York and London) Global Information Security Survey. Globally, the study found that more than 70 percent of respondents failed to list training and raising employee awareness of information security as a top initiative.
"Companies are worried about hackers because this is a public problem," says John Patrick Boland, senior manager in the Americas Strategy practice, Ernst & Young. However, "Very few companies get asked by the media about internal downloads and lost PCs because this stays under the radar."
As many businesses engage in external partnerships, acquisitions and outsourcing, more people have access to information, and it becomes more difficult to ensure the security of information. "You are only as secure as your weakest link," Boland explains. "Most companies have anti-virus programs, SPAM protection and virtual private networks, but without employee training and compliance practices, an internal culture of lax security may result and have a ripple effect."
The Tone at the Top
While companies commit to expensive technologies such as firewalls and virus protection, communication among management may be the best security asset, suggests Boland. According to the survey, "Employee misconduct involving information systems" [60 percent] was cited behind "major virus, Trojan horse or Internet worms [77 percent]" as the top perceived threats. Still, only 28 percent of respondents listed "raising employee information security training or awareness" as a top initiative in 2004.
"Something as simple as making internal security awareness a part of the executive or board of directors briefing could lead to improved business continuity plans," Boland asserts.
The survey, which consisted of 60 percent to 70 percent Ernst & Young clients, included 1,233 companies in more than 51 countries; 336 respondents were financial services organizations, the largest industry represented. One hundred participating firms claimed an insurance background. Other industries represented included health services, manufacturing, public sectors, retail, technology and transportation.
The financial services industry was the leader in the use of vulnerability management services, at 62 percent, with overall global usage at 50 percent. "Financial services understand that trust is their market value, so there is some greater governance over information," Boland notes. "There simply needs to be that recognition that humans are becoming a bigger part of the system."