Ernst and Young: Franchises aren’t protecting information

Ernst & Young has found that franchises around the world are failing to safeguard against increasingly more potent threats to the security of their information.

The 2004 Ernst & Young Global Information Security Survey found that although franchisors are increasingly aware of the risks posed to their information security by people within their operations, they are not acting on this knowledge. More than 70 percent of the 1233 organisations – representing some of the leading companies in 51 countries – failed to list training and raising employee awareness of information security issues as a top initiative.

As organisations move toward increasingly decentralised business models through outsourcing and other external partnerships, it becomes ever more difficult for them to retain control over the security of their information and for senior management to comprehend the level of risk to which they are exposed.

“Companies can outsource their work, but they cannot outsource responsibility for its security,” says Edwin Bennett, global director of Ernst & Young’s technology and security risk services. “Fewer than one-third of companies conduct a regular assessment of their IT providers to monitor compliance with information security policies – they are simply relying on trust. Organisations have to demand higher levels of security from their business partners.”

The survey indicates that organisations remain focused on external threats such as viruses, while internal threats are consistently under-emphasised. Companies will readily commit to technology purchases such as firewalls and virus protection, but are hesitant to assign priority to human capital.

“While the public’s attention remains focused on external threats, companies face far greater damage from insiders’ misconduct, omissions, oversights, or an organisational culture that violates existing standards. Because many insider incidents are based on concealment, organisations are often unaware they’re being victimised. Too many organisations feel that information security has no value when there is no visible attack. This is a perception that has remained unchanged over the decade that Ernst & Young has been conducting this survey,” says Bennett.

Franchises should instead place more emphasis on creating a security-conscious culture that includes setting the right “tone at the top”, which is vital in changing the way organisations approach information security, he believes.

“Companies can transform their view of information security, and approach it as a way to gain competitive advantage and preserve shareholder value, rather than merely consider it a necessary cost of doing business,” says Bennett.

“However, this transformation must be led by a visible shift in attitude from the CEO and the board. At present, only 20 percent of organisations view information security as a CEO-level priority. More could and should be done to transform the skills and awareness of their people, who often present the greatest opportunity for vulnerabilities – and convert them into the strongest layer of defense.”

PwC study

Meanwhile, a study by PricewaterhouseCoopers (PwC) in conjunction with CIO magazine has also confirmed that external factors, including regulations and potential liability, are the primary forces driving security initiatives. The research identifies best practices to combat security threats and the degree to which they have been implemented by participating organisations. The global security study of more than 8000 senior information technology executives representing 62 countries across all industries is the largest ever conducted.

While security spending budgets are flat, the study finds 64 percent of companies say spending will increase this financial year. Interestingly, best practice organisations allocate a higher portion of their budget to information security (14 percent compared to 11 percent for other respondents) and focus more than their counterparts on developing strategies for information security (69 percent versus 56 percent), security architecture (66 percent versus 50 percent), identity management (47 percent versus 31 percent), threat and vulnerability management (62 percent versus 44 percent), and security crisis and incident response (55 percent versus 38 percent).

“Governance and compliance issues are still driving the need for information security,” says Joe Duffy, PricewaterhouseCoopers partner and global leader of its technology and data services practice. “Even though we’re seeing best practice companies begin to take a more strategic look at information security, with the organisations that are most confident in their security efforts taking the time to align security with business strategy, compliance and risk management programs, there is still a lot of room for improvement.”

The greatest barrier to effective security is an inadequate budget. Little or no time to focus on security, as well as limited staff dedicated to security, were also significant barriers, according to the research. The study also determines the most frequent impact of cyber attacks is slowed-down networks, unavailable email and applications and unauthorised spam. Total downtime as a result of these events fell from 26 percent, reporting a total downtime of eight hours or more in 2003 to 21 percent in 2004, with an increased percentage of organisations (26 percent in 2003 and 33 percent in 2004) reporting no downtime.

Global highlights

Study results also shine a spotlight on advances in organisational security programs that the US has made in comparison to the rest of the world. Some of these findings include:

• US organisations (58 percent) are more likely to have established appropriate use of the internet as part of their security policy than organisations in Asia (41 percent), South America (37 percent) and Europe (36 percent).

• Data protection, disclosure and destruction are reported as part of organisations’ security policies at 51 percent of organisations in the US versus 44 percent in Asia, 40 percent in Europe and 24 percent in South America.

• Inventory of assets and assets management were integral parts of organisations’ security policies at 42 percent of organisations in the US, 35 percent in Asia, 27 percent in South America and 25 percent in Europe.

“The study shows some improvement in information security during the past year. However, these improvements are not evenly distributed,” Duffy notes. “There are still great weaknesses in Asia and South America, which trail the US, the world leader, in the development and implementation of best practices. This is primarily due to the wealth and resources of corporations in the US, as well as the litigious nature of US society.”

Examples of best practices

• More frequently reported increased integration of organisations’ corporate and information security personnel (38 percent) compared to 26 percent of overall survey respondents.

• Had more top management support (51 percent) than the overall respondents (37 percent).

• More frequently reviewed policies and procedures (62 percent) in the past 12 months than overall respondents (37 percent).