/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsAlthough Indian companies are well aware of information security threats, the knowledge has not translated into action on that front, cautions a finding carried out by Ernst &Young. This finding forms part of E&Y's 2004 Global Information Security Survey (GISS) in India.
According to the survey, the topmost security concern for companies is major viruses and Internet worms. Spam mail falls next and followed by employee misconduct. The report finds that these perceived threats did not reflect reality.
E&Y risk and business solutions practice partner Terry Thomas said, “Although 70 percent of the information security threats like misconduct, omissions, oversights or organizational culture that overlooks policies and procedures, come from inside the company, there is an under-emphasis of this factor.”
The report also noted that since the first survey was conducted in 1993, in relative terms, not much has changed in terms of attitudes, practices and actions despite the increase in threats and technology as well as higher spends. “Security isn't still aligned with business needs,” added Thomas.
The study covered 69 organizations across India including IT companies, BPO companies, banks and financial organizations, automotive companies and other verticals between April and June 2004.
The study reveals that around 91 percent of the respondents have anti-virus systems and 56 percent have spam protection. However, action in the area of training in security and controls for employees, was found wanting.
Another aspect that was highlighted was that though information security was recognized as being important in achieving overall objectives, only 31 percent of those interviewed felt that their organizations perceived information security as a CEO level priority. The topmost obstacle to effective information security was pinned to lack of security awareness by users, which is ahead of “lack of sufficient budget. Around 40-50 percent of companies also felt that the security spend had “increased slightly” over the previous year.
The survey also included the role of government regulation in security. Only 11 percent felt that government security driven regulations as being highly effective in improving their information security posture and in data protection.
Summing up the results, E&Y feels that a holistic approach is needed to fit in security into the overall scope of the enterprise. The study suggests a management-based approach to security through employee training and awareness and a ruthlessly executed information security policy.