Reports show security awareness and training are still lagging

Two new reports have confirmed that technology is the least of our problems when it comes to security -- it's the people and processes that still need fixing.

While security budgets are remaining steady, despite the economic downturn, recent research from Ernst & Young Ltd. and PricewaterhouseCoopers LLP shows a lack of targeted spending and an over-reliance on technology to achieve security. Poorly trained people remain the weakest link.

The 11th Ernst & Young Global Information Security survey, which surveyed 1,400 organisations in 50 countries, found that only 44 per cent of respondents were training their staff in data handling, even though they were still continuing to fund investment in security tools.

Seamus Reilly, director in technology and security risk services at Ernst & Young, said the UK was broadly in line with global trends, but there were exceptions.

For instance, Reilly, providing additional specifics from the study, said the UK lags behind in strategic planning for security. While 18 percent of global organisations admitted they had no documented strategic plan for security over the next three years, the figure in the UK was 30 percent.

"UK companies need to be sure they are spending their budgets in the right places, and for that you need to have an information security strategy," said Reilly.

On the other hand, UK security professionals have more contact with senior company stakeholders, with 54 percent of them meeting with the audit committee on a quarterly or half-yearly basis, compared to 32 percent globally. Privacy is also a higher priority in the UK, with 88 percent of respondents implementing privacy controls and 83 percent saying that they now have a clear understanding of privacy law, 17 percent higher than
the global average.

Management of third-party risk is also a higher priority in the UK with 58 per cent of companies including information security requirements in contracts with external suppliers, compared to a global average of 45 per cent.

But although many defences are in place, Reilly said many basics of security were still overlooked. "You need to understand what personal information you have in the organisation, and have an inventory of [the data] -- many organisations have not even done that yet. It is the basis of dealing with personal information appropriately," he said.

"Many incidents in the UK come down to people acting inappropriately -- either not following a policy, or just trying to help someone else, and releasing information. There is a disconnect -- we have not yet tackled the personal awareness problem yet in the UK."

That conclusion is echoed by the latest PricewaterhouseCoopers annual Global State of Information Security Survey. After surveying 7,000 information technology executives from 119 countries (over 300 from the UK), researchers found that most UK companies in the sample did not know where their data was located, 37% weren't sure how many incidents they had had and more than half could not say what types of security incidents had occurred or what had caused them. About a third of companies had neither measured nor reviewed the effectiveness of their information security policies over the past year.

The study also concluded that although UK companies have invested heavily in technology for information security, they tend to focus on purely technical safeguards.

To view the reports, visit and .

Read more on Security policy and user awareness

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.