Less than a third of global businesses have an IT risk management programme capable of dealing with the risks related to the use of new technologies, a study has revealed.
Just one in ten consider new and emerging IT trends very important for the information security function to consider, according to Ernst & Young's 13th annual Global Information Security Survey.
Some 60% of respondents see a significant increase in use of external service providers and adoption of new technologies, such as cloud computing, as an increased risk.
Despite this, only 46% intend to increase their annual investment in information security, but this figure rose to 67% when considering UK participants only.
Technology advances represent a massive opportunity for IT to deliver significant benefits to the organisation, but new technology also means new risk, said Seamus Reilly, of Ernst & Young IT Risk Advisory.
"It is vital that companies not only recognise this risk, but take action to avoid it," Seamus Reilly said.
The mobile workforce
Over half of respondents said increased workforce mobility poses a considerable challenge to information security. This was due to widespread use of mobile computing devices that allow people to access and distribute business information from anywhere at any time.
For almost two-thirds of respondents, employees' level of security awareness is recognised as a considerable challenge.
"As the mobile workforce continues to grow, so does the level of risk. In addition to implementing new technology solutions and re-engineering information flows, companies must focus on informing the workforce about risks," said Reilly.
The delivery of effective and regular security awareness training is a critical success factor as companies attempt to keep pace with the changing environment, he said.
Half of respondents plan to spend more over the next year on data leakage and data loss prevention, a 7% increase from 2009.
To address potential new risks, 39% are making policy adjustments, 29% are implementing encryption techniques and 28% are implementing stronger identity and access management controls.
The survey found data leakage was seen by 50% of UK respondents as either their top or second priority. It highlighted that UK respondents reported significant levels of encryption technologies for laptops of 85%, compared with 47% globally.
For the first time, continuous availability of critical IT resources was identified by respondents as one of the top five risks.
Increased mobility and lack of control over end-user devices can cause problems when trying to implement effective and efficient business continuity and disaster recovery capabilities.
Half of respondents globally - but only 36% of UK respondents - identified this as an area of increased expenditure.
UK respondents reported higher levels of key business continuity capability, including having a defined business continuity strategy, 93% vs 60% globally; and business continuity testing plans, 85% vs 55% globally.
Only 3% of UK participants reported having no BCM program, compared with 13% globally.
Cloud computing services are gaining greater adoption, with 23% of respondents using cloud computing services and a further 15% planning to use within the next 12 months.
When asked if an external certification of cloud service providers would increase trust, 85% of respondents said yes, with 43% stating that the certification should be based upon an agreed standard and 22% requiring accreditation for the certifying body.