Companies worldwide will continue to invest more money in information security, going forward, and were increasingly adopting international security standards, according to advisory firm Ernst & Young.
The firm, which released its 2008 Global Information Security survey on Wednesday, said that a growing number of companies were seeing a link between information security and the effects a security breach could have on their brand or reputation.
“We believe that organisations recognise that security cutbacks would have an adverse effect on stakeholder perceptions. Most also believe that security threats and attacks increase during an economic downturn,” commented Ernst & Young technology security risk services global leader Paul van Kessel.
Of the 1 400 respondents, 85% believed that a security breach would have a significant impact on their company’s reputation or brand, while 72% also listed the possible loss of revenue as a significant concern.
Only 68% listed regulatory sanctions as a concern.
Nevertheless, 67% of respondents said that they had already implemented controls to protect personal information.
Further, Ernst & Young said that 50% of the respondents were planning to further increase their budgets for security, with only 5% of respondents planning to decrease the amount they spent on security.
Van Kessel stated that a good brand and reputation could be severely damaged or even destroyed by a single security incident.
He asserted that, while most improvements in information security had stemmed from regulatory compliance over the past few years, the desire to protect their brand and reputation was motivating companies to do more than “just tick regulatory and corporate compliance boxes.”
Meanwhile, Van Kessel said that while progress had been made, there were some key areas of concern, such as insider threats, privacy and third-party relationships.
“It is the people who are often the “weakest link”, with 50% of respondents citing awareness within their organisation as the most significant challenge to information security. Businesses must work with information security to develop training and awareness programmes and to adopt more sophisticated testing techniques,” he commented.
Further, he noted that the use of third parties or outsourcers was on the increase.
Only 45% of respondents said they included specific information security requirements in all of their contracts with third parties. Almost one-third did not, however, review or assess how contractors were protecting their information.
“There are an increasing number of reported incidents of data loss involving third parties and outsourcers that tells us that information security must be “portable.” Wherever data is in your supply chain it must be protected, and monitoring must encompass all those with whom you work,” said Van Kessel.
SECURITY IN SOUTH AFRICA
Meanwhile, Ernst & Young South African risk advisory services manager Yvette du Toit commented that the threat of “tangible financial loss”, owing to an information security breach was more pronounced in South Africa.
“While [risk to a company’s reputation] is an absolute given, there is a preponderance of incidents where fraud or corruption related to security breaches results in actual losses, rather than the more intangible consequence of damage [to a company’s reputation],” she said.