The survey, which canvassed nearly 1,400 senior executives in public and private sectors in more than 50 countries, shows that most believe that a security incident would have a greater impact on reputation and brand than on revenues, with 85 percent of respondents citing damage to reputation and brand as significant, compared with 72 percent for loss of revenues. Regulatory sanction is cited by only 68 percent.
Paul van Kessel, global leader of Ernst & Young's Technology and Security Risk Services, comments: "A good brand and reputation can take years to build but can be severely damaged or even destroyed by a single security incident. The media coverage surrounding security breaches underscores just how devastating these failures can be to a firm's reputation. For the past few years, most improvements in information security stemmed from regulatory compliance. Now, the desire to protect brand and reputation is motivating many organizations to do more than just tick regulatory and corporate compliance boxes."
Despite tightening economies, the survey indicates that organizations are increasing investments in information security and more organizations are adopting international security standards. More than two thirds (67 percent) of respondents interviewed say they have now implemented controls to protect personal information.
Van Kessel continues: "Overall, the results of this year's survey are encouraging; however, there are some key areas -- such as insider threats, privacy and third-party relationships -- that need more focus and investment."
Spending set to Increase
Despite an economic downturn faced by some of the world's largest economies, 50 percent of respondents are set to increase their budgets for security; in fact, only 5 percent plan to decrease their current budgets. Jose Granado, principal, Information Technology Enablement Center-Americas Security Leader, adds: "We believe that organizations recognize that security cutbacks would have an adverse effect on stakeholder perceptions. Most also believe that security threats and attacks increase during an economic downturn."Where the money is spent will be critical. It is not enough to simply fund further technical solutions, such as encryption. Many organizations are struggling to integrate information security strategy and raise organizational awareness of information security benefits to the business. But it is the people who are often the "weakest link", with 50 percent of respondents citing awareness within their organization as the most significant challenge to information security. Businesses must work with information security to develop training and awareness programs and to adopt more sophisticated testing techniques."
Third Parties in the Spotlight
The use of third parties and outsourcers is on the increase, and organizations are taking some important steps to safeguard information, but there is room for improvement. Only 45 percent include specific information security requirements in all of their contracts with third parties. Almost one third do not review or assess how contractors are protecting their information.Van Kessel concludes: "There are an increasing number of reported incidents of data loss involving third parties and outsourcers that tells us that information security must be "portable." Wherever data is in your supply chain it must be protected, and monitoring must encompass all those with whom you work."
