Security breakdown? That’s the human touch

Threats to data security are mounting, especially from within organisations but top executives aren't helping their companies keep pace, a new study has found.

CEOs are increasingly aware of the risks posed to company information by insiders, but they aren't acting on this knowledge, according to the 2004 Ernst & Young Global Information Security Survey. More than 70 per cent of the 1,233 organizations surveyed in 51 countries failed to list training and raising employee awareness of information security issues as a top initiative.

Just 20 per cent of respondents strongly agreed that their organisations perceive information security as a CEO-level priority. Only one-quarter gave their information security departments the highest ratings in meeting the needs of the organisation.

A large part of the problem is that organisations remain focused on external threats such as viruses, while internal threats are consistently underemphasised, the survey found. Executives are quicker to spend money on technology such as firewalls and virus protection than they are to properly prepare their employees.

"Companies face far greater damage from insiders' misconduct, omissions, oversights, or an organisational culture that violates existing standards," Edwin Bennett, global director of Ernst & Young's technology and security risk services, said in a statement. "Because many insider incidents are based on concealment, organisations often are unaware they're being victimised. Too many organisations feel that information security has no value when there is no visible attack."

Threats can also come inadvertently from business allies. Fewer than one-third of the companies surveyed conduct a regular assessment of their IT providers to monitor compliance with information security policies.

The dangers can be reduced by creating a security-conscious culture that starts with executives setting the right tone at the top of the organisation, Ernst & Young said. Organisations also have to demand higher levels of security from their business partners.

The companies surveyed have their annual revenue ranging from less than $100m to more than $10bn and operate in areas ranging from finance to retail to government services.