CEOs aware, but not acting on threats to information security, says Ernst & Young's 2004 Information Security survey

CEOs must do more to counter the threat to information security from insiders

LONDON and NEW YORK, Sept. 22, 2004 -- Organizations around the world are failing to safeguard against increasingly more potent threats to the security of their information, a survey by the leading professional services provider Ernst & Young has found.

The 2004 Ernst & Young Global Information Security Survey found that, although company leaders are increasingly aware of the risks posed to their information security by people within their organizations, they are not acting on this knowledge. More than 70 percent of the 1,233 organizations -- representing some of the leading companies in 51 countries -- failed to list training and raising employee awareness of information security issues as a top initiative.

As organizations move toward increasingly decentralized business models through outsourcing and other external partnerships, it becomes ever more difficult for them to retain control over the security of their information and for senior management to comprehend the level of risk to which they are exposed.

"Companies can outsource their work, but they can't outsource responsibility for its security," Edwin Bennett, Global Director of Ernst & Young's Technology and Security Risk Services, said. "Fewer than one-third of those companies conduct a regular assessment of their IT providers to monitor compliance with information security policies -- they are simply relying on trust. Organizations have to demand higher levels of security from their business partners."

The Ernst & Young survey indicates that organizations remain focused on external threats such as viruses, while internal threats are consistently under-emphasized. Companies will readily commit to technology purchases such as firewalls and virus protection, but are hesitant to assign priority to human capital.

"While the public's attention remains focused upon the external threats," Bennett said, "companies face far greater damage from insiders' misconduct, omissions, oversights, or an organizational culture that violates existing standards. Because many insider incidents are based on concealment, organizations often are unaware they're being victimized. Too many organizations feel that information security has no value when there is no visible attack. This is a perception that has remained unchanged over the decade that Ernst & Young has been conducting this survey."

Companies should instead place more emphasis on creating a security- conscious culture that includes setting the right "tone at the top" -- this is vital in changing the way organizations approach information security, Bennett believes. "Companies can transform their view of information security, and approach it as a way to gain competitive advantage and preserve shareholder value, rather than merely consider it a necessary cost of doing business," he said. "However, this transformation must be led by a visible shift in attitude from the CEO and the board. At present, only 20 per cent of organizations view information security as a CEO-level priority. More could and should be done to transform the skills and awareness of their people, who often present the greatest opportunity for vulnerabilities - and convert them into its strongest layer of defense."

About Ernst & Young

Ernst & Young, a global leader in professional services, is committed to restoring the public's trust in professional services firms and in the quality of financial reporting. Its 103,000 people in more than 140 countries around the globe pursue the highest levels of integrity, quality, and professionalism to provide clients with solutions based on financial, transactional, and risk- management knowledge in Ernst & Young's core services of audit, tax, and transaction advisory services. Ernst & Young practices also provide legal services in some parts of the world where permitted. Further information about Ernst & Young and its approach to a variety of business issues can be found at Ernst & Young refers to all the members of the global Ernst & Young organization.

SOURCE Ernst & Young

Web Site:

DSS Home |  About Us |  Contact Us |  Site Index |  Subscribe | What's New
Please Tell 
Your Friends about DSSResources.COM Copyright © 1995-2021 by D. J. Power (see his home page). DSSResources.COMsm was maintained by Daniel J. Power. See disclaimer and privacy statement.