Despite the increase of threats facing companies today, over 30% of medium to large South African companies do not have a dedicated information security management position.
This was revealed in a benchmarking study conducted with local companies by information risk researchers at Wolfpack and supported by ISG Africa and the South African Chamber of Commerce and Industry.
Released yesterday, the South African Information Security Thermometer Survey (SA IST) is an independent national study of local information security decision-makers.
According to ISG Africa research director Craig Rosewarne, the exercise entailed the enlisting of 88 local companies across industry sectors, including banking, medical, government, retail and IT.
Rosewarne says the team's intention was to measure the maturity of information security management practices across a range of medium to large companies. IT and information security decision-makers at the said companies were asked 50 questions pertaining to 10 individual areas, including information security governance, training and awareness, and social media and mobile security.
Overlooking ISOs
Asked whether the companies have a dedicated information security officer (ISO) or equivalent senior role devoted entirely to information security, 69.14% said yes. Of the remaining constituent, 22.22% said they did not have such a position, while 8.64% were “in the process of appointing”.
Rosewarne says these figures are startling. “It is difficult to believe that over 30% of medium to large SA companies still do not have a dedicated information security management position.”
He says even more concerning is the probable ration in the small to mid-sized sector of SA's economy. “They are likely to have minimal controls in place and may be severely impacted by a major incident.”
Boosted budget
According to the SA IST, over 66% of companies had a substantial increase in their security budgets for 2012.
Rosewarne says this, together with more stringent security prerequisites, may instigate a bolstering of ISO appointments in SA in the near future. “I believe with stricter privacy compliance requirements and mounting third party assurance pressures on South African companies, we are going to see an increase in the number of local ISO 27001 certifications.”
But, says Rosewarne, SA has a considerable road to travel in this regard. “If we compare ourselves to other developing countries such as India and China, we still have a long way to go. If we as a continent wish to attract foreign investment, [increased security management] will highlight our good governance in providing independent assurance to our investment partners that we take information security seriously.”
Social security
According to the study, close on 66% of companies block access to Google's video-sharing Web site YouTube, while an average of 25% block access to social networking sites Facebook and Twitter. Business-related site LinkedIn proved to be deemed the safest networking tool, with less than 9% of companies blocking the site.
For corporate access to e-mails and calendaring, the following percentages of access were allowed by companies taking part in the study:
* 60.23% permitted use of the BlackBerry (RIM) platform;
* 42.05% of the IOS platform (Apple iPhone and iPad);
* 32.95% Android platform;
* 45.45% Windows; and
* 29.55% of the Symbian (Nokia) platform.
The study rounds up the biggest challenges faced by South African companies' CIOs in terms of managing information security programmes. The biggest challenge, says Rosewarne, is that of preventing data leakage. This is followed by insufficient budgets to do a thorough job, and an overall lack of commitment from senior management to information security.
Rosewarne says a cyber crime barometer is on the cards for early next year. “We plan to conduct further research, on the issue of cyber crime, to understand the true cost of this activity to the South African economy.”
Share