Report: U.K. lags in information security management practices

According to a new study, British companies are falling behind the rest of world when it comes to securing enterprise data.

British companies are falling behind the rest of the world in information security management practices, according to a new study from PriceWaterhouseCoopers.

The company surveyed 7,000 security professionals globally, mainly in large companies -- including 455 in the U.K. -- and found that British organisations appear to be less prepared to combat the risks that confront them in their information systems.

The findings (see table below) show that the U.K. lags in several key areas of information security. Organisations have fewer CISOs in place; only 37% have a clear idea of where their data is stored. Also, nearly half (49%) do not even know how many security incidents they experienced in the previous year.

Other countries also seem to be far more confident of maintaining or increasing their expenditure on security.

William Beer, director of the OneSecure practice at PWC, said that India appeared to be putting a lot more effort into security, having suffered incidents in some of its outsourcing companies. In China, the abundance of skilled resources accounted for the high level of attention being given to security, he suggested.

Beer said that, globally, information security is now getting more high-level attention in organisations, and that investment is now better tied into the risks identified by the business. "Businesses are recognising the value of information security," he said. "The economic downturn is a major driver of information security spending and has put it on the executive agenda. We have seen a reduced misalignment between IT and the business, and more focus on risk."

The study showed that 44% of organisations had made some investment in data loss prevention, compared with 29% last year. But only 45% said their security policies cover the protection, disclosure and destruction of data. And six out of 10 respondents said their organisation still had no accurate inventory of locations or jurisdictions where personal data is collected, transmitted and stored.

Respondents also voiced various concerns over cloud-based computing, including:

  • Inability to enforce security policies at a provider (23%).
  • Inadequate training and IT auditing (22%).
  • Questionable privileged access control at the provider site (14%).
  • Questionable recovery of data if a contract ended (12%).
  • Proximity of the company's data to that of others (11%).
  • Uncertain ability to audit the provider (10%).

"We feel that organisations have learned a lot of lessons through outsourcing that can be applied to cloud computing," Beer said. "But there is still a lot of work to be done."

Table: Information security management practices

India U.S. U.K. Brazil China
Employ a CISO 51% 42% 37% 48% 55%
Have overall information security strategy 73% 73% 62% 58% 67%
Expect security spending to increase/stay same over 12 months 80% 59% 49% 82% 86%
Have accurate inventory of where sensitive data is stored 42% 48% 37% 29% 50%
Don't know how many security incidents occurred over the last 12 months 18% 41% 49% 15% 7%

Read more on IT risk management