• 72% of respondents see increasing level of risk due to external threats
  • 80% likely to adopt mobile tablet usage yet security implementation still low
  • Cloud computing is top security funding priority for the coming 12 months

Kyiv, London, 28 November 2011: In the rush to “digitize” their businesses with new technologies and move into the increasingly borderless world of cloud computing and social media, global organizations are developing a growing gap between business needs and the ability to tackle new and complex security threats, according to Ernst & Young’s 14th annual Global Information Security Survey.

The survey of 1,700 organizations globally found that 72% of respondents are seeing an increasing level of risk due to increased external threats. At the same time, however, only about a third of respondents have updated their information security strategy in the past 12 months.

With 80% of organizations currently using or considering using mobile tablets and 61% using or considering the use of cloud computing services within the next year, the threat of security breaches has become an after-thought in the rush to adapt to the rapidly changing landscape.

Paul van Kessel, Ernst & Young Global IT Risk and Assurance Leader, comments: “More and more major businesses and industries are being run on software and delivered as online services. Data is everywhere. Confronted with diminishing borders, cloud services and business models in the cloud, companies are asking themselves how to respond to new and emerging risks and whether their strategy needs to be revisited.

“The focus must move from short-term fixes to a more holistic approach integrated with long-range strategic corporate goals.”

Funding

It is encouraging that 59% of respondents plan on increasing their information security budgets in the coming 12 months. However, only 51% of respondents stated that they have a documented information security strategy.

Respondents named cloud computing as their top information security funding priority for the coming 12 months. Overall, for the second consecutive year, respondents have indicated that business continuity is their top funding priority.

Mobile tablets

The adoption of tablets and smartphones ranked second-highest on the list of technology challenges perceived as most significant, with more than half of respondents listing it as a difficult or very difficult challenge. Policy adjustments and awareness programs are the top two measures used to address risks posed by this new mobile technology. The adoption of security techniques and software, however, is still low. For instance, encryption techniques are used by fewer than half (47%) of the organizations.

Building trust in the cloud

Despite the compelling story for cloud adoption, many organizations are still unclear of the implications of cloud and are increasing their efforts to better understand the impact and the risks. In 2011, 48% of respondents listed the implementation of cloud computing as a difficult or very difficult challenge, and more than half have not implemented any controls to mitigate the risks associated with cloud computing. The most frequently taken measure is stronger oversight on the contract management process with cloud providers, but even this is only done by 20% of respondents, indicating a high and possibly misguided level of trust.

“In the absence of clear guidance, many organizations seem to be making ill-informed decisions, either moving to the cloud prematurely and without appropriately considering the associated risk, or avoiding it altogether. Although many organizations have moved to the cloud, many have done so reluctantly.”

Almost 90% of respondents are in favor of external certification, with nearly half (45%) saying this should be based only on an agreed-upon standard.

“Whilst there are alliances working toward this goal, it is not enough to rely on external entities to address all of the risks associated with cloud computing”, says van Kessel. “These risks can represent a significant change to the way an organization operates and must be managed by formal enterprise and IT risk management procedures.”

Social media

Most respondents (72%) claimed that external malicious attacks were their top risk. These attacks may be fuelled by information obtained through the use of social media that was used to send targeted phishing messages to targeted individuals.

To help address potential risks posed by social media, organizations seem to be adapting a hard-line response. More than half (53%) have responded by blocking access to sites rather than embracing the change and adopting enterprise-wide measures.

Top level priority

The survey shows that only 12% of respondents are presenting information security topics at each board meeting and less than half (49%) of our survey respondents stated that their information security function is meeting the needs of the organization.

Van Kessel concludes: “A pragmatic and pro-active response rather than a reactive one is required. Information security needs to be more visible in the board room with a clearly defined strategy that will support the business in the cloud and elsewhere. Most companies still have a long way to go to make this a reality.

“In order to effectively manage IT risks in general, organizations need to get a broad and comprehensive view of the entire IT risk landscape. This holistic perspective will provide companies with a starting point to help identify and manage current IT risks and challenges, as well as those that may evolve over time.”

Nikolay Samodaev, Partner, Head of IT Risk and Assurance Services in the CIS, says: "Based on our practice in the CIS markets, we regret to note that the level of development and integrity of IT security and IT risk management system is not sufficient. This is especially true for complex enterprises in terms of IT architecture and organizational structure. Companies often lack the so-called helicopter view, in that many IT-related business initiatives and IT and IT security projects are pursued without proper regard for their potential synergies and ramifications, including with respect to maintaining business continuity and IT security."

Notes to editors:

Ernst & Young’s 2011 Global Information Security Survey was conducted between June and August 2011. Nearly 1,700 organizations in 52 countries and across all major industries participated.

About Ernst & Young

Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 152,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.

Ernst & Young expands its services and resources in accordance with clients’ needs throughout the CIS. 4000 professionals work at 18 offices in Moscow, St. Petersburg, Novosibirsk, Ekaterinburg, Kazan, Krasnodar, Togliatti, Yuzhno-Sakhalinsk, Almaty, Astana, Atyrau, Baku, Kyiv, Donetsk, Tashkent, Tbilisi, Yerevan, and Minsk.

Ernst & Young established its practice in Ukraine in 1991. Ernst & Young Ukraine now employs more than 500 professionals providing a full range of services to a number of multinational corporations and Ukrainian enterprises.

For more information, please visit www.ey.com/ua.

Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.