Irish organisations show a stronger awareness of threats to information security than their European or global counterparts but are nonetheless failing to put adequate safeguards in place, a new report has revealed.
According to the 2004 Ernst & Young Global Information Security Survey, business leaders in Ireland are increasingly aware of the risks posed to their information security by people within their organisations but they not acting on this knowledge.
Although many security experts are increasingly drawing attention to the elements of people and policy in tackling information security, the Ernst & Young data suggests this message has yet to filter down to many organisations. Less than 30pc of the organisations polled for the survey said that training and raising employee awareness of information security issues was a top priority.
For Irish companies, employee misconduct was only the fourth area of concern behind other priorities. Viruses, Trojan horse and worms were in first place followed by spam and loss of customer data.
Ernst & Young concluded that organisations remain focused on external threats such as viruses, while internal threats are consistently under-emphasised. Companies will readily commit to technology purchases such as firewalls and virus protection, but are hesitant to assign priority to human capital.
In addition, the trend towards outsourcing has led Ernst & Young to suggest that organisations are finding it harder to keep control over their information and consequently, for senior management to understand their company’s exposure to risk.
“Companies can outsource their work, but they can’t outsource responsibility for its security,” said Pat Moran, partner at Ernst & Young’s Technology and Security Risk Services. “Only one quarter of Irish companies (compared with one third of companies globally) conduct a regular assessment of their IT providers to monitor compliance with information security policies – they are simply relying on trust. Organisations have to demand higher levels of security from their business partners.”
The survey had some better news for Irish managers however: the information security departments in Irish companies appear to be more effectively meeting the needs of their organisations than elsewhere, Ernst & Young found. More Irish companies have a chief information security officer, chief security officer or chief risk officer in place than their global and European counterparts.
Further, Irish companies meet more frequently to discuss how their information security service is aligned with the objectives of the business. Irish organisations report to the board of directors on a more frequent basis than their global and European counterparts.
Regulations are having less impact on Irish organisations than global or European ones: 65pc of Irish respondents said they were feeling an effect, compared with 79pc worldwide and 86pc in Europe.
The survey found that in general, security practices are more widely deployed in Irish organisations than in their counterparts. 63pc of Irish organisations indicated that their information security budget for 2004 was increased compared to 2003. This upward trend tallies with data released last month by the analyst firm IDC, which showed that security spending among Irish organisations would rise this year – some 54pc of respondents said they would be allocating some IT budgets to this area, up from 32pc last year.
Ernst & Young surveyed 1,233 companies in 51 countries in compiling its report. An electronic copy of the survey can be downloaded from http://www.ey.com/globalsecuritysurvey.
By Gordon Smith