Almost half (47%) of the UK's top 350 companies do not have
a fully documented information security policy, despite the
proliferation of computer viruses and the impact a security breach
could have on a company's share price, according to a
survey.
The IT department is left to develop and enforce a security policy
in 71% of FTSE 350 companies, according business executives
questioned for the survey.
Simon Owen, partner in the technology assurance practice at
professional services firm Deloitte, said, "The findings are as
alarming as any written security policy. If you fail on security,
how confident can management be that controls are strong throughout
the organisation?
"It could be symptomatic of wider problems throughout the
company."
Owen said a written policy on an organisation's information
security should be no longer than 10 pages and avoid jargon. It
should cover internal and external threats and be backed up by
training to raise awareness of security issues among staff, he
added.
UK companies with a casual approach to IT security also risk the
anger of shareholders, according to the survey, which was
commissioned by IT services company LogicaCMG, which questioned
senior executives at 20% of the FTSE 350 companies.
A security breach would have an impact on a company's share price,
according to 83% of investors, and 68% said that a company's policy
on IT security would be a significant factor when deciding whether
to buy or sell its shares.
Getting it right
"UK companies have a misplaced conception that increased spend in
IT security will mitigate information violations. Unfortunately,
devolving responsibility of information governance away from the
board room to the IT department will not safeguard information
assets.
"Information security governance needs to be embraced throughout
the organisation. The best technology in the world cannot alone
prevent the implications of negligent human behaviour."
Dave Martin, UK principal security expert at LogicaCMG