Viruses, conduct top worries

Ernst & Young survey of information security

Companies have identified major viruses, spam and employee misconduct as the key concerns in India, according to Ernst & Young's 2004 Global Information Security Survey.

Its findings were announced by Sunil Bhumralkar, partner, Ernst & Young and Terry Thomas, partner, Ernst & Young's risk and business solutions practice, in Bangalore on Wednesday.

The survey has cautioned that organisations around the world are failing to guard themselves against increasingly more potent threats to the security of their information. While corporate leaders are increasingly aware of the risks posed to their information security by people within their organisations, they are not acting on the knowledge.

"Over 70 per cent failed to list training and raising employee awareness of information security issues as a top initiative," the report said.

The top concern in India is major viruses and internet worms. Employee misconduct is ranked as the number two worry worldwide, but is only third in India. Spam mail is considered as the bigger bother.

Hence, 91 per cent of Indian respondents have anti-virus systems and 56 per cent have specific anti-spam protection for their networks. However, less than half (40 per cent) of the respondents provided their employees with ongoing training in security and controls.

According to Thomas, "While the organisations remain focused on external threats like viruses, the internal threats are constantly being under-emphasised. Companies will readily commit to technology purchases, but are hesitant to assign priority to human capital."

Only a quarter of the respondents globally gave their information security departments the highest rating in meeting the needs of the organisation.

Global findings also reveal that 80 per cent failed to regularly assess their IT outsourcer's compliance with the host organisation's information security regulatory requirements. Another 70 per cent failed to conduct a regular assessment of their IT outsourcer's compliance with the host organisation's information security policies.

According to the findings, the biggest obstacle to effective information security today is "lack of security awareness among users", ahead of "lack of sufficient budget", which was placed as biggest obstacle in the 2003 survey. Indian organisations have cited "availability of skilled staff" as their biggest hurdle with "user awareness" coming in second.

As many as 86 per cent respondents from India rated information security as "very important". Despite this, only 31 per cent of Indian organisations and 20 per cent their global counterparts "strongly agree" that information security is perceived to be a "CEO-level priority".

"Today, laws that focus on financial reporting and data protection like Sarbanes Oxley and Health Insurance Portability and Accountability Act (HIPAA), are supplying senior management with the motivation to be more concerned about these critical issues," the survey said.