Companies must change tactics to security to combat new threats
Ernst and Young survey finds no security framework in place for majority of companies.
Firms need to completely change their stance when it comes to dealing with security threats, according research.
The study of 1,850 CIOs, CISOs and other information security executives in 64 countries by auditors Ernst and Young found that while organisations incrementally improved security to combat short-term threats, very little was done to tackle the problems associated with the overall information security threat.
The survey found that 31 per cent of respondents had experienced a higher number of security incidents in the last two years. The auditors said that the need to develop a robust security architecture framework has “never been greater”.
Furthermore, some 63 per cent of organisations have no such framework in place and only 16 per cent of respondents reported that their information security function fully meets the needs of the organisation.
Ernst & Young Global Information Technology (IT) Risk and Assurance Services leader, Paul van Kessel said, “the new normal for the CIO is that fast is not fast enough.”
He added: “The velocity and complexity of change is happening at a staggering pace, with emerging markets, continuing economic volatility, off-shoring and increasing regulatory requirements adding to an already complicated information security environment.”
More than three-quarters (77 per cent) of respondents agreed that there is an increasing risk from external attacks, but this is not the only source for concern for global organisations, with 46 per cent reporting that internal vulnerabilities are also on the rise.
Cloud computing continues to be one of the main drivers of business model innovation, with the numbers of organisations using the cloud almost doubling in the last two years. However, 38 per cent of organisations have not taken any measures to mitigate the risks, such as stronger oversight on the contract management process for cloud providers or the use of encryption techniques.
The study also found that just five per cent of chief risk officers are currently responsible for information security, many organisations lack the formal risk assessment mechanism provided by the risk function, resulting in 52 per cent of organisations having no threat intelligence program in place.
“For some organisations, skills resources, security maturity or budget may be playing a role in their decision-making; but these bolt-on or stack work-around solutions being seen today — which fix short-term information security needs — are masking a bigger problem around vulnerability,” Van Kessel added.
He said if organisations don’t take action to develop comprehensive security frameworks today, “the combined consequences of the current and future issues will only fuel the information security threat further.”