Businesses are failing to adequately protect against future security threats

Businesses are failing to adequately protect against future security threats
External threats are on the increase

According to accountants Ernst & Young's 15th Global Information Security Survey 2012 the majority of respondents (77%) have experienced a higher number of external attacks to the business - up from 72% in 2011 and up from 41% in 2009,

In the same span of time, organisations have also noticed an increase in internal vulnerabilities. In this year's survey, nearly half of respondents (46%) say they have noticed an increase. Thirty-seven percent rank careless or unaware employees as the threat that has increased the most over the last 12 months.

The security threat gap

However instead of businesses enhancing their security businesses appear to be doing the opposite, Ernst and Young has revealed a widening security gap, between the current level of information security and the level of security required to deal with the accelerating threat level

Nearly two-thirds (64%) of organisations have no robust security architecture framework in place and almost half of respondents (45%) admit to only discussing information security issues once a year with their boards.

Ernst & Young found that one of the reasons for the rise in attacks was new technologies such as cloud computing and Bring Your Own Device (BYOD) that businesses are adopting in order to cut costs and be more efficient. One in five (20%) businesses have not taken any measures to mitigate the risks, such as stronger oversight on the contract management process for cloud providers or the use of encryption techniques.

Lack of budget and skills

The report points to two main reason for the lack of security budget and lack of skills

Over half (61%) of the businesses surveyed named budget constraints as the main obstacle to their company's information security strategy. While lack of specialist skills is cited as the main symptom that forces organisations (57%) to focus on the implementation of improvements to their information security capabilities that provide only short-term solutions instead of tackling the issues associated with the overall threat.

Mark Brown Director of Information Security at Ernst & Young commented: "The results of our survey point at two necessary changes. On the one hand, businesses need to understand that information security can no longer simply be an IT issue. They need to transform their perception of information security and make it a board sponsored topic that is eventually embedded in the core strategy of a business.

"On the other hand, we need to look at the bigger picture – that of the lack of specialist skills. Since the late 1990s the number of UK-born graduates studying mathematics and science degrees has fallen by almost 70%. This has led to an increasing shortage in relevant skills and has put the UK's efforts to tackle growing cyber security risks on the backfoot."