The fifth Deloitte Global Security Survey for the Technology, Media and Telecommunications industries has particular significance for Ireland. The previous surveys have charted a course of steady progress in 2007 and 2008, a marked decline in security investment in 2009, a significant increase in efforts in 2010 and a return to steady progress in 2011. The significance for Ireland is the failure to bounce back in 2010. While the economy in 2010 provided some respite and an opportunity to re-focus on information security for many organisations, this has not been the case in Ireland. Many companies are still struggling to find the resources to address information security challenges and as a result are facing a widening gap with their international peers.

Gary Comiskey, Director with Deloitte’s Enterprise Risk Services group, comments:

"The challenges outlined in the survey are common across the world and are applicable across most industry sectors. Information security requires constant review and refocus. Our experience has shown that many Irish organisations have not had the opportunity to invest and mature their information security management programmes in 2010 and 2011 and while they face the same risks as their peers across the world they are likely to be starting from the back of the grid. This lack of resources coupled with a greater public awareness and a wider range of information security threats puts many Irish organisations in a vulnerable position, if action is not taken.”

The result of the survey can be summarised into a five broad headings:

“Good enough” is no longer good enough
Over the last number of years Deloitte experience and surveys have shown that there is a much greater public focus on information security and much greater expectations from the public when it comes to the need to protect information, particularly personal and financial information. The most recent survey has highlighted that the public’s tolerance for security and privacy problems has rapidly reduced but the number of security breaches is increasing. While the 2010 survey found that 38% of respondents had not experienced a security breach this has reduced to 25% in 2011. Another interesting finding of the survey is that almost 20% of respondents in the Telecoms and Media sectors were not sure how many breaches had occurred.

In the current climate, reducing the number of incidents to an occasional breach is no longer good enough.

Regulators are stepping in
In Ireland and many other jurisdictions around the world regulators are taking a much firmer line when it comes to information security and data protection. The recent audit of Facebook by the Data Protection Commissioner has highlighted the level of input from regulators and the nature of their powers. The organisations who participated in the Deloitte survey have recognised this change and have identified compliance with regulatory requirements as their number one security initiative in 2011. There is also a general consensus that getting a passing grade from regulators alone will not be enough to meet market place demands.

The complex challenges of a hyper-connected world
One of the key themes to emerge in the 2011 survey is the increased challenges of our inter-connected business processes. There are very few organisations that go it alone – most will have some interactions with third parties or reliance on vendors or service organisations to support their operations. The Deloitte survey showed that nearly 60% of respondent considered third party organisations to pose a medium to high level of threat. Despite recognising the level of threat only 30% performed regular reviews to assess the security risks and only 18% had agreed procedures to manage information security at third parties. In an Irish context this is particularly relevant considering the number of cloud computing hubs that are located in Ireland and level of risk associated with this area.

Managing the human factor
The Deloitte survey showed that 20% of organisations believe that employee errors and omissions pose a high threat, while 17% view employee misuse of systems as high risk. This level of risk is further increased when employees introduce their own devices or use company systems in order to access social media or other information sharing sites. The “bring your own device” concept is becoming much more popular with 43% of survey respondents saying that this is now supported by their organisations. While these devices bring many efficiencies and may improve the information sharing process the risks and threats are not always fully understood.

Future drivers
New technologies require information security to adjust and adapt constantly. One example of such a technology is cloud computing. Nearly one third of the TMT companies surveyed identify cloud computing as the primary technological development that will shape the future of information security. The survey also asked respondents to set out their top five information security threats for 2012 which are set out below:

1. Mobile devices (34 percent)
2. Security breaches involving third parties (25 percent)
3. Employee errors and omissions (20 percent)
4. Faster adoption of emerging technologies (18 percent)
5. Employee abuse of IT systems and information (17 percent)

While mobile devices are considered the number one security threat for 2012, it is not the device itself that poses the threat, but more so the sensitive data that it carries.

Comiskey advises:
"As a first step companies should conduct their own assessment in order to understand the risks that they face and try to identify the most effective and efficient measures to address these. Managing information security does not have to be a very expensive or resources intensive process – as the Deloitte survey shows it can often be down to simple training and awareness. However one thing is certain – a failure to take any steps to protect your information will be expensive and resources intensive.”

Please do not hesitate to contact a member of the TMT team with any queries you might have.