Top UK companies are failing to develop written security policies
Almost half (47%) of the UK's top 350 companies do not have a fully documented information security policy, despite the...



The importance of web security
Join us as we take a look at the different approaches you can take in order to bolster your web security. We find out how to identify and address overlooked web security vulnerabilities, how security controls affect web security assessment results and why web opportunities must be met with appropriate security controls.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.
The IT department is left to develop and enforce a security policy in 71% of FTSE 350 companies, according business executives questioned for the survey.
Simon Owen, partner in the technology assurance practice at professional services firm Deloitte, said, "The findings are as alarming as any written security policy. If you fail on security, how confident can management be that controls are strong throughout the organisation?
"It could be symptomatic of wider problems throughout the company."
Owen said a written policy on an organisation's information security should be no longer than 10 pages and avoid jargon. It should cover internal and external threats and be backed up by training to raise awareness of security issues among staff, he added.
UK companies with a casual approach to IT security also risk the anger of shareholders, according to the survey, which was commissioned by IT services company LogicaCMG, which questioned senior executives at 20% of the FTSE 350 companies.
A security breach would have an impact on a company's share price, according to 83% of investors, and 68% said that a company's policy on IT security would be a significant factor when deciding whether to buy or sell its shares.
Getting it right
"UK companies have a misplaced conception that increased spend in IT security will mitigate information violations. Unfortunately, devolving responsibility of information governance away from the board room to the IT department will not safeguard information assets.
"Information security governance needs to be embraced throughout the organisation. The best technology in the world cannot alone prevent the implications of negligent human behaviour."
Dave Martin, UK principal security expert at LogicaCMG
Start the conversation
0 comments