Organizations Don’t Address Security Problems
Companies worldwide are not sufficiently addressing information security threats from within, a new survey conducted by professional services provider Ernst & Young shows. According to the study, “employee misconduct involving information systems” was rated the second-highest security concern, but still was far behind the top-ranked risk, “major virus, Trojan horse or Internet worms.” Additionally, of the 1,233 organizations—in 51 different countries—that responded, more than 70 percent did not list employee training for and awareness of information security issues as a top priority.
These unconcerned responses were at odds with recent findings of leading research groups, which demonstrated that many of the most feasible and most devastating attacks come from legitimate network users: current, temporary and former employees. In fact, although 100 percent of respondents reported having anti-virus systems and 71 percent had anti-spam protection (“spam” was the third most significant security problem), only about 56 percent train users to identify and report suspicious activities on their networks.
Executives’ unwillingness to engage internal threats might be explained in part by the fact that attacks by network users almost always are clandestine, and when they are exposed, companies tend to keep the incidents under wraps. Conversely, other major issues are unavoidable: Various viruses and worms have received exposure in the national media, and anyone who has an e-mail account knows what spam is and why it’s a problem.
The level of apprehension among respondents in this survey has remained nearly unchanged since Ernst & Young initiated it 10 years ago, said Edwin Bennett, the company’s global director of Technology and Security Risk Services. “While the public’s attention remains focused upon the external threats, companies face far greater damage from insiders’ misconduct, omissions, oversights or an organizational culture that violates existing standards,” he said. “Because many insider incidents are based on concealment, organizations often are unaware they’re being victimized. Too many organizations feel that information security has no value when there is no visible attack.”
The study concluded that to change this attitude, companies will have to will have to promote greater responsibility from the top down, at executive, managerial and employee levels. “Companies can outsource their work, but they can’t outsource responsibility for security,” Bennett said.
For more information, see www.ey.com.