http://www.theage.com.au/articles/2004/10/07/1097089457543.html Bangalore, India October 7, 2004 Global corporations are failing to safeguard their information networks against potent threats from viruses, worms and especially their own employees, according to a report unveiled here on Wednesday by consultancy firm Ernst and Young. The Global Information Security Survey said while corporate leaders were increasingly aware of the risks to their information security from people within their organisations they are not acting on that knowlege. "More than 70 percent of the companies surveyed failed to list training and raising employee awareness about information security issues as a top initiative," the report said. Ernst and Young polled more than 1233 organisations from across 70 countries. There were 69 respondents from India making it the second largest country sample. "While organisations remain focused on external threats such as viruses the internal threats are constantly being under-emphasised," said Terry Thomas, partner, Ernst and Young's Risk and Business Solution Practice. "People and organisational issues are equally important. Because many insider incidents are based on concealment, organisations are often unaware that they are being victimised," Thomas told reporters. The report said as corporations are increasingly outsourcing business to thrid party vendors outside their region it was becoming more difficult to retain control over the security of their information. "The more likely and most lethal threats are those originating from within an organisation's growing extended enterprise," it said. The report said 80 percent of the organisations surveyed failed to conduct regular assessment of their IT outsourcer's compliance with the host organisation's security regulatory requirements. Most organisations, it said, felt that information security had no value when "there is no visible attack. "This perception has remained unchanged over the decade that Ernst and Young has been conducting the survey. The topmost obstacle to effective information security today is the lack of security awareness by users," said Thomas. Although 67 percent of the organisations claimed information security was "very important ... persistent gaps continue to exist in the amount of diligence and resources that are deployed to improve the degree of protection. "Information security threats are more lethal today. We expect that incidents, particularly internal ones, will proliferate unless senior management makes information security a core management function," Thomas said. In India, 91 percent of respondents said they had anti-virus systems installed and 56 percent had specific anti-spam protection for their network. However, less than half of respondents from India and globally provided employees with ongoing training in security and control, the report said. Indian organisations, it said, had cited "availability of skilled staff" to implement security as their top problem with "user awareness" in second position. "India is emerging as a favourite destination for outsourcing but organisations are not really understanding the security implications," Thomas said. "They rely mostly on faith and trust rather than addressing hard facts. Employee misconduct is ranked as the number two worry in the world but it is third on the list in India," he said. _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
This archive was generated by hypermail 2.1.3 : Thu Oct 07 2004 - 04:54:09 PDT