Global IT surveys show some cause for concern

Big Four firms Ernst & Young and PricewaterhouseCoopers have each released their annual global information security surveys, and both polls point to some disturbing trends in corporate America.

E&Y's 2004 Global Information Security Survey concluded that, among other issues, security threats to corporations are growing more lethal, and the overall sentiment in many companies is to wait until there is a major security breach before taking any action to prevent such a breach.

And while many people think of viruses, worms and spam e-mail when they think of security threats, the E&Y survey summary pointed out that, "Organizations face greater damage from insiders' misconduct, omissions, oversights or an organizational culture that violates pre-existing policies and procedures. Because many insider incidents are based on concealment, organizations often are unaware they are being victimized."

The E&Y results also emphasized the fact that many security breaches go unreported, "or worse, undetected," thus giving a false impression of the level of success of information security at any given company.

PwC's Mark Lobel pointed to the maze of security access points within an organization as a major source of potential security breaches. Lobel serves as director in PwC's security services practice and is the primary lead on the firm's second annual Global Information Security Survey, which was conducted in conjunction with CIO and CSO magazines. Lobel described a typical scenario in which a new employee is given a user identification and password for network access at a company, another user identification and password for the accounting system, another for time reporting, payroll, human resources, etc.

"As organizations have grown over the years, the individual has multiple identities throughout the company and those things are not coordinated in any fashion," Lobel explained. In addition, an employee might have a company credit card, a building access card, a laptop computer or a company car.

"If you think it's bad giving them access, imagine how bad it is trying to remove it, especially if you've terminated them for cause," he said. "You suddenly have someone with the motivation and knowledge to do purposeful damage to your infrastructures and your critical and sensitive business practices. That's the sort of thing that leads to the destruction of a company."

Although 91 percent of respondents in the E&Y survey indicated that information technology security is "very important," only 28 percent recognized improved IT security training for their staff as a top initiative.

Half full? Half empty?

Interestingly, the tone differed drastically from one survey to the other.

The 11th annual E&Y survey results were somewhat ominous, replete with warnings and skepticism about the future of information security.

The statement, "We expect that incidents - particularly internal ones - will proliferate unless senior management makes information security a core management and governance function - a cultural imperative," set the tone for the survey. That mood was encapsulated in the summary, which stated that, "It's a combination of a failure to invest and a failure to enforce," which provides a doomsday outlook for information security if more drastic measures are not taken.

A more upbeat PwC survey focused on improvements that have occurred in the arena of information security and the best practices that are emerging.

The survey results show that spending on information security has not increased measurably from 2003 to 2004, and the number of incidents of security breaches has increased since last year, but the breaches "caused less downtime and cost less when they did occur," allowing PwC to conclude that such incidents are being better managed.

Both polls concurred that ongoing employee training in the area of information security is imperative and must be improved. "Lack of user awareness was the No. 1 obstacle to achieving a good information security posture," said Edwin Bennett, E&Y global director of technology and security risk services, in the introduction to the survey.

One trend noted by Lobel and the PwC survey is that companies are not following through on executing the strategic priorities that they set. "They've got the same issues year after year," said Lobel, citing a fear of litigation in response to changes in the regulatory environment as a major cause. "Sarbanes-Oxley is making organizations more cautious," he explained. With new regulations in force, "upper management needs to attest to controls and are potentially criminally liable."

And though regulations such as Sarbanes-Oxley and the Health Insurance Portability and Accountability Act may require companies to be more accountable and more motivated to protect data, E&Y warned that such regulation might be just the tip of the iceberg: "If organizations fail to make information security part of their corporate culture, additional government involvement might be forthcoming."

According to the PwC survey, out of 30 operations and technology security priorities noted by companies in 2003, execution of the goals in 2004 has fallen short of desired implementation in all but two areas, and those two involved deploying firewalls.

E&Y noted that one difficulty in implementing security objectives is that it's difficult to get management support for things that can't be seen. Organizations need incentives to improve information security, according to the E&Y report, which noted, "The measure of value is elusive and the benefit is visible only through events that do not happen."

One concern about survey results such as those provided by E&Y and PwC is that they may seem self-serving. Surveys conducted by IT consulting professionals indicated that more money should be spent on IT security. "Obviously, security does not come free and organizations must be willing to pay the costs for better quality products," states the commentary in the E&Y survey.

PwC's Lobel balked at that assessment. "As a consulting organization, one of the goals is to help organizations better manage their costs," he said. "The solution is not to spend more on security consulting, it's to do things internally. There's lots of free stuff out there to do that as well. Define your security architecture, establish your metrics - those are good things for the company to do."

"A sign of a good consultant is knowing when to walk away and let the organizations do things themselves," Lobel added.

Meanwhile, the need for reform and improvement in information security continues to grow. Estimates by the Association of Certified Fraud Examiners indicated that the typical U.S. organization loses 6 percent of its annual revenues to fraud, and that included fraud promulgated by security breaches.

Accountants and consultants who are in the business of helping their clients find ways to protect themselves against fraud may find the results of these studies alarming, and at the very least will be assured that they have their work cut out for them. Both reports find that companies are slow to realize the potential for security risks until the risks have already occurred.

Results from the PwC IT security survey are available at www2.cio.com/research/surveyreport.cfm?id=75.

Results from the E&Y survey are available at: www.ey.com/global/content.nsf/international/press_release_-_2004_global_information_security_survey.

For reprint and licensing requests for this article, click here.
Technology
MORE FROM ACCOUNTING TODAY