Irish firms tops for security awareness

scojones

Article taken from ENN

Irish firms tops for security awareness
Thursday, September 23 2004
by Ciaran Buckley

Irish companies are aware of internal threats to security, but give higher priority to technological safeguards than they do to employee training.

The 2004 Ernst & Young Global Information Security Survey found that Irish companies are more aware of security threats than their international counterparts.

More than 70 percent of the 1,233 organisations surveyed in 51 countries failed to list training and employee awareness of security issues among their top five security initiatives. In contrast, Irish companies listed employee misconduct as a fourth priority, while viruses, Trojans and worms were collectively listed as the number one security priority. Spam and loss of customer data were the second and third priorities for Irish businesses.

"There are a number of reasons why Irish companies might be more aware of internal security issues than other companies; part of it is the fact that regulatory requirements have become more important in recent years," said Mike Harris, manager of Ernst & Young's technology security risk service, speaking to ElectricNews.net. "Also, a lot of the companies surveyed would be subsidiaries of international companies, which makes them more aware of these issues than would be the case in other countries."

When it comes to countering security threats, the survey found that companies are happy to commit to technology purchases such as firewalls and virus protection, but are slow to invest in their employees as a way of improving security. Such measures would include giving continuous training in security and controls to employees. It would also mean instructing employees on the necessity of classifying sensitive data and reporting suspicious activities.

The survey also found that more Irish companies have a Chief Information Security Officer, Chief Security Officer or Chief Risk Officer in place than do their global and European counterparts.

In general, security practices are more widely deployed in Irish organisations than in their counterparts and Irish organisations report on security issues to the board of directors on a more frequent basis than their global and European counterparts. The survey also found that 63 percent of Irish organisations will spend more on security in 2004 than they did in 2003.

The survey also noted that outsourcing was leading to a situation where companies no longer have full control of their security and that this meant that companies did not comprehend the level or risk to which they are exposed.

"When you're outsourcing to larger companies, it's hard for them to understand the risk associated with the information they've been given, to know which is the information that needs the greatest control," said Harris. "Also, when the outsourcing agreement was set up, security may not have been taken into account and they're not going to spend money on security if it isn't in the agreement."