CEOs are increasingly aware of the risks posed to company information by, but they aren't acting on this knowledge, according to the "2004 Ernst & Young Global Information Security Survey." More than 70 percent of the 1,233 organizations surveyed in 51 countries failed to list training and raising employee awareness of information security issues as a top initiative.
Just 20 percent of respondents strongly agreed that their organizations perceiveas a CEO-level priority. Only one-quarter gave their information security departments the highest ratings in meeting the needs of the organization.
A large part of the problem is that organizations remain focused on, while internal threats are consistently underemphasized, the survey found. Executives are quicker to spend money on technology such as firewalls and virus protection than they are to properly prepare their employees.
"Companies face far greater damage from insiders' misconduct, omissions, oversights, or an organizational culture that violates existing standards," Edwin Bennett, global director of Ernst & Young's technology and security risk services, said in a statement Thursday. "Because many insider incidents are based on concealment, organizations often are unaware they're being victimized. Too many organizations feel that information security has no value when there is no visible attack."
Threats can also come inadvertently from business allies. Fewer than one-third of the companies surveyed conduct a regular assessment of their IT providers to monitor compliance with information security policies.
The dangers can be reduced by creating a security-conscious culture that starts with executives setting the right tone at the top of the organization, Ernst & Young said. Organizations also have to demand higher levels of security from their business partners.
The companies surveyed have their annual revenue ranging from less than $100 million to more than $10 billion and operate in areas ranging from finance to retail to government services.