Some thoughts and highlights on the Global Information Security Survey 2004 of Ernst&Young
There are some of my thoughts and highlights that I wish to share with you about the Global Information Security Survey 2004 of Ernst&Young.
First, there is the targeted population: more than 1230 enterprises in 51 countries. 22% of them have more than 1 billion in revenues and 56% of them more than 100 millions.
One of the things that I need to point you out in this survey is what I already observed and I posted on this blog since 3 weeks. This thing is the management-based approached of security. It’s the importance of the employees as a security layer in the infrastructure of the system. Unfortunately, senior management is more trusting than prudent. This situation seems to be the root of many problems.
As many people think, one of the best security layer that enterprises can have is his employees. Ironically, this same layer can also be the weakest link. The problem is that they need to be trained and educated in there role in the infrastructure as a security layer. If you do so, you’ll have one of your strongest link; otherwise, there is a good probability that this layer would be your weakest.
The main influence factor in the security of an enterprise is the senior management. It’s their decisions that will affect the security of their enterprise. If they don’t care, who will? This is the problem that I pointed many times before on this blog. First, we need to educate our top-level administrators and managers. After we’ll be ready to educate employees of other levels. However, the idea is not viable if senior managers are not aware of the situation.
The easiest and less expensive attack that we can perform to enter a system is by exploiting the human factor. An attacker only needs one negligent employee to attack the whole system and take into it. By knowing that, it’s now ease to understand why it’s so important to educate every employee of an enterprise, from the concierge to the Board of Director.
After this said; we can get a look at numbers.
Interesting numbers are them related with the human dimension of the security. You can see them at pages 13 and 14. Only 53% of the respondents train their employees in a security and awareness program. Don’t forget, it’s an important factor in the success of a security infrastructure. Only 56% train there employees to identify and report suspicious activities. Finally, 60% provide instruction to there employees to classify data. The problem with the former is that the biggest asset an enterprise tries to secure is their data.
Companies correctly identified insiders as the second highest rated threat. The problem is that they don’t do many things to cope with this reality as we can see in the results up there. As said in the survey:
“Employee misconduct involving information systems”
cited as a distant second behind “major virus, Trojan
horse or Internet worms,” the top threat to organizations
– Less than 30 percent listed “raising employee information
security training/awareness” as a top initiative in 2004
As you know, security is a process. This means that you need to periodically upgrade and change the security policies to cope with his changing environment. The problem is that 39% of the enterprises of the survey fail to periodically review their security policies for compliance. Moreover, close to 70 percent[15% monthly, 16% quarterly, 8% semi-annually, 10% annually, 39% ad hoc, 11% never] of the respondents’ board of directors failed to receive a quarterly report about the organization’s information security status.
According to Ernst&Young, top obstacles to effective information security in 2004 are Lack of security awareness by users, Budget constraints or limitations, Availability of skilled staff, Difficulty proving the value of information security and Pace of information technology change. The three firsts can be overcome by education. The first by the education of the employees of the enterprise. The second by the education of the senior managers and the third by talking with the universities and other educational institutions to help them bringing programs that cope with the needs of the private industries. Three obstacles; one solution: education.
99% of the respondents have antivirus software and respondents said that with an occurrence of 68% major virus, trojan horse, or internet worms was the result of an unexpected or unscheduled outage of their critical business systems in 2003. Why? Because of the insiders. They see an attachment in an email, the click on it. Another possibility can be the lack of system upgrade. Think about Codered or other major virus.
Another interesting numbers are the ones that talk about outsourcings. 28% of the respondents outsource information technology operation(s) to foreign-based solution providers. Take note that the percentage grows to 46% with companies with revenues over 1 billion. The problem is that only 20% of the respondents conduct a regular assessment of their IT outsourcer’s compliance with the host organization’s own information security regulatory requirements. Moreover, only 30% of the respondents conduct a regular assessment of their IT outsourcer’s compliance with the host organization’s own information security policies. This is unbelievable but this is true. Companies have some type of security policies, but they don’t necessary demand the same level of security for their foreign-based solution providers. I have some thoughts related with the security in outsourcing that I’ll write about in a future post. As said in the survey:
– 80 percent failed to conduct a regular assessment of
their IT outsourcer’s compliance with the host
organization’s information security regulatory requirements
– 70 percent failed to conduct a regular assessment of their
IT outsourcer’s compliance with the host organization’s
information security policie.
I encourage you to read the whole survey. It’s a really interesting reading and it succeed to cope the whole thing. Moreover the analysis done by Ernst&Young is short, accurate and readable without being boring. So, go on and enjoy the reading.