Johannesburg, 28 Sep 2004
Employees still pose the biggest corporate security threat, while IT systems are the main corporate security focus, reports audit and business advisory firm Ernst & Young in its latest Global Information Security Survey.
Shaun Nel, Ernst & Young senior manager for Information Systems Assurance and Advisory Services (ISAAS), said in launching the 2004 survey results in Johannesburg today that overall, respondents listed "lack of security awareness by users" as the top obstacle to effective information security. Despite this, less than half provided staff with ongoing security and controls training.
The survey was conducted among chief information officers and chief information security officers at 1 233 companies in 51 countries. In SA, 34 organisations were sampled - 59% of them listed on the JSE Securities Exchange.
Nel said South African CEOs were proving to be "more hands-on with information security issues" and "giving information security top-level priority compared to their global counterparts".
In SA, 42% of the respondents rated information security as a top-level priority issue that was driven by the office of the chief executive. This compares with only 20% of global respondents who regarded information security as a CEO-driven issue.
Grant Brewer, Ernst & Young partner for ISAAS, says the importance of information security becomes "increasingly elevated as companies align the achievement of their objectives with a more robust information security system".
"As the dangers facing intellectual property become more pronounced and increasingly complex, information security becomes a top drawer issue," he says.
In spite of growing awareness about the importance of information security among the respondents, the survey found that organisations remained focused on external threats such as viruses, while internal threats were generally neglected.
"Companies will readily commit to technology purchases, such as firewalls and virus protection, but are hesitant to assign priority to human capital," says Brewer, pointing out that no amount of technology can reduce the human threat.
"While the public`s attention remains focused upon external threats, companies face far greater damage from insider`s misconduct, omissions, oversights or an organisational culture that violates existing standards."
Brewer notes that many organisations feel information security has no value when there is no visible attack. "This is a perception that has remained unchanged over the decade that Ernst & Young has been conducting this survey."
The South African survey respondents expect information security expenditure to increase by 50% over last year.
Share