The 2002 Global Information Security Survey indicates there are significant gaps in security management around critical business systems and data, despite awareness and recognition of the threats.
The survey results also indicate that while information security has become a major concern for companies around the world, approaches to the risks are inconsistent and often insufficient.
Despite the continued threats, only 53% of the 450 companies surveyed have business continuity plans in place. In fact, 40% of those companies do not investigate information security incidents, an essential component to basic information security measures, said Ernst & Young.
The results indicate information security is still widely regarded as a technical issue, not a business issue, and that this fundamental gap could potentially cause organizations to prepare inadequately for threats that are increasingly sophisticated and rapidly changing.
Ernst & Young also found that 60% of those companies surveyed expect to experience greater vulnerability as IT connectivity increases. Employee awareness of information security policies and procedures is cited by 66% of the respondents as a barrier to achieving effective security, yet less than 50% have employee awareness and training programs in place to explain those policies.
Also, respondents indicated a greater concern about vulnerability to external attacks (57%) than internal (41%), despite published data that indicates that more than three-quarters of attacks originate from within organizations, the consulting firm said.