• Sixty-seven percent of companies cite "human error" as a root cause of security failures—ahead of technology and operations.
• More than a quarter of organizations (29 percent) give  employees no training on information security or privacy issues.
• A m ajority of companies (70 percent) have appointed a Chief Information Security Officer and 72 percent have information security governance frameworks and strategies in place.

London, May 19, 2008 – Energy and Resources businesses are working hard to improve their security and to be one step ahead of the latest security threats, according to the 2008 Energy and Resources Global Security Survey launched today by Deloitte. Human error remains the greatest threat and firms still need to get to grips with the latest available security technology.

"Companies have been developing their security practices and credible progress has been made," said Simon Owen, the partner leading Deloitte's UK Enterprise Risk Services Technology group.

According to the survey, a majority of companies (62 percent) are "very confident" they are safe from an external attack, while 41 percent said they are "very confident" that they are safe from internal attack.

However, the need for security to remain a high priority is highlighted by the threats faced by business. More than half of respondents (53 percent) suffered from an email attack in the last 12 months and 44 percent have experienced repeated email attacks.

"There are still issues E&R companies need to address to improve their security," said Owen. "Lack of resources is cited by 40 percent of companies as the biggest barrier. Investment is another area where over half of companies (53 percent) feel they aren’t on plan or ahead of the problem, due to their current level of expenditure. Lack of support is another issue and only half (53 percent) believe that senior management gives sufficient commitment to information security.

Survey responses indicate that companies fear external threats more than operational ones. Their greatest fear is social engineering, where individuals are duped into disclosing confidential data online. However, the most dangerous threat in fact comes from within, with 67 percent of companies citing "human error" as one of the root causes for security failures–putting it ahead of technology and operations.

One way companies can stay on top of their information security is by training their staff. More than a quarter of organizations (29 percent) give their employees no training at all on information security or privacy issues, or how to identify suspicious activities. This is surprisingly low for a sector well versed in training its people.

"To minimize the risks, organizations need to keep abreast of new security tools and their potential for improving security. The risks of disruption are further heightened by the fact that almost all respondents say that the security of their specific industry control systems (such as SCADA) is critical to the success of their organisation's business. Yet a majority of them have no program in place to assess that security," said Owen.

Fortunately, the global survey reveals companies have developed a strong governance framework around their security. The majority of Energy and Resources organizations have appointed a Chief Information Security Officer. The majority of companies (72 percent) have information security governance frameworks and strategies in place. This senior leadership driving the information security governance framework reveals a long-term commitment to information security among Energy and Resources companies globally.

Other key findings

• More than half of Energy and Resources companies (55 percent), including critical utilities and infrastructure organisations, have a formal BCP in place;
• The survey reveals that although the majority of companies have some form of crisis management plan in place (81 percent), only a minority (27 percent) have specific crisis management teams or regularly test their crisis management plans.

For more information, visit Deloitte’s Security & Privacy services site.

About Deloitte
In this press release references to Deloitte are references to Deloitte & Touche LLP which is among the country’s leading professional services firms, providing audit, tax, consulting and corporate finance services. Deloitte & Touche LLP is the United Kingdom member firm of Deloitte Touche Tohmatsu (DTT), a Swiss Verein whose member firms are separate and independent legal entities. Neither DTT nor any of its member firms has any liability for each other’s omissions.  Services are provided by member firms or their subsidiaries and not by DTT. Deloitte & Touche LLP is authorised and regulated by the Financial Services Authority. The information contained in this press release is correct at the time of going to press.