Deloitte study finds companies’ approach to information security is failing
Rotterdam, 21 November 2011 — According to the Deloitte Touche Tohmatsu Limited (DTTL) TMT Global Security study launched today, technology, media and telecom companies (TMT) are generally holding steady as compared to the prior year on their information security activities, budgets, governance, and reporting.
Yet the threats to Information Technology (IT) security are on the rise and the impact of security incidents are ever more significant. TMT organizations are not coping with the evolving environment: More than half (52 percent) of respondents to the DTTL study indicate that their security expenditures are either falling behind or catching up to what is expected.
'The ability to access information from anywhere at any time has become part of our daily lives—however, this ability also increases the threat to information security,' said Jacques Buith, TMT Security Leader at DTTL. 'Despite stable security investments, half of the TMT organizations that participated in this study indicate that they consider lack of budget and personnel to be the biggest barriers to adequate information security.'
Increasing legislation and regulations
The study shows that 30 percent of the TMT companies surveyed have a new security initiative for 2012: compliance with information security legislation and regulations. In the history of the study, never before has a similar initiative ranked in the top five priorities for TMT organizations. TMT organizations also identify security training, data protection, and security related to technology advancements as pressing issues.
'Governments are turning to stricter legislation and regulations, but that does not necessarily mean that TMT companies have failed to properly regulate themselves,' continued Buith. 'Compliance and regulations are baseline elements, yet TMT organizations in particular can and should use security to distinguish themselves in the market. So, it can be expected that TMT companies that proactively deal with information security and make it a high priority will be the best organizations in the sector.
'As governments work to draw up adequate legislation for the Internet, DTTL’s research reveals that 50 percent of the companies participate in cyber initiatives with other organizations in order to address cyber threats. This finding indicates that going it alone is no longer an option in the current environment—information security requires teamwork.'
IT solutions and regulations alone cannot ensure proper information security—the human element plays a major role. One fifth of the organizations interviewed state that one of the major threats they face when it comes to information security is employee errors. Another 17 percent identify employee abuse as a major threat to IT systems and information. Consumerization is another risk on the rise—that is, the use of personal smartphones, tablets, or laptops by staff for business purposes. More than 40 percent of the companies interviewed state they support personal devices in addition to corporate provided devices. 'This introduces new challenges involving confidentiality of data, privacy of staff, distribution of applications, and IT support,' said Buith.
Security and the cloud
New technologies require information security to adjust and adapt constantly. One example of such a technology is cloud computing. Nearly one third of the TMT companies surveyed identify cloud computing as the primary technological development that will shape the future of information security. Additionally, 60 percent of the TMT organizations surveyed state that third parties (e.g., organizations they share data with or entrust data to) are an average to major threat to information security—yet only 31 percent of the companies test these third parties’ security capabilities.
'Companies should realize that they have become increasingly dependent on third parties where information security is concerned,' added Buith. 'If your organization holds high standards on information security, you should demand that from your third parties and cloud solution providers as well.'
Top five security threats in 2012
1. Mobile devices (34 percent)
2. Security breaches involving third parties (25 percent)
3. Employee errors and omissions (20 percent)
4. Faster adoption of emerging technologies (18 percent)
5. Employee abuse of IT systems and information (17 percent)
While mobile devices are considered the number one security threat for 2012, it is not the device itself that poses the threat, but more so the sensitive data that it carries.
About the DTTL TMT Global Security Study
The goal of the DTTL Global Security study is to provide TMT companies with insight into the security and privacy challenges and threats that they currently face or will face as an industry. The study is developed based on the results of interviews with security executives of 138 TMT organizations from 25 different countries.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte's approximately 182,000 professionals are committed to becoming the standard of excellence.