A GLOBAL survey shows that Singapore organisations need to take steps to safeguard information even when it has left the protection of their own information systems.
The Ernst & Young 2008 Global Information Security Survey shows that companies are now realising that sharing data with third-party vendors and contractors rarely transfers the risk or responsibility for protecting the information.
According to the report, the use of third parties and outsourcers is on the increase, and organisations are taking some important steps to safeguard information, but there is room for improvement.
Gerry Chng, Ernst & Young's Singapore Information Security Solution Leader, noted that only 45 per cent include specific information security requirements in all of their contracts with third parties.
Almost one-third do not review or assess how contractors are protecting their information.
The survey canvassed nearly 1,400 senior executives in more than 50 countries.
It shows that most believe that a security incident would have a greater impact on reputation and brand than on revenues, with 85 per cent of respondents citing damage to reputation and brand as significant, compared with 72 per cent for loss of revenues. Regulatory sanction is cited by 68 per cent.
The survey shows that despite the focus on protection of brand and reputation, a worrying separation still persists between the information security (IS) function and the strategic decision-making process.
Only 18 per cent included IS in their organisation's business strategy with 29 per cent having no IS strategy at all.
Mr Chng told BT that the challenge for most organisations is to not only make IS work better, but to also make it a part of the business.
'For most companies in Singapore, IS is more integrated with the information technology (IT) strategy than with the overall business strategy. The management should bring IS into strategic business discussions as a valuable partner, and IS should adopt a more business-centric view,' Mr Chng said.
The survey also shows that a growing number of organisations recognise the link between information security and a strong brand and reputation.
According to Paul van Kessel, Global Leader of Ernst & Young's Technology and Security Risk Services, a good brand and reputation can take years to build but can be severely damaged or even destroyed by a single security incident.
'The media coverage surrounding security breaches underscores just how devastating these failures can be to a firm's reputation. For the past few years, most improvements in information security stemmed from regulatory compliance,' Mr van Kessel notes.
He adds that the desire to protect brand and reputation is motivating many organisations to do more than just tick regulatory and corporate compliance boxes.
Despite tightening economies, the survey indicates that organisations are increasing investments in information security and more organisations are adopting international security standards.
More than two-thirds (67 per cent) of respondents interviewed say they have implemented controls to protect personal information.
Despite an economic downturn faced by some of the world's largest economies, 50 per cent of respondents are set to increase their budgets for security; in fact, only 5 per cent plan to reduce their current budgets.
'We believe that organisations recognise that security cutbacks would have an adverse effect on stakeholder perceptions. Most also believe that security threats and attacks increase during an economic downturn,' Mr van Kessel said.
He, however, added that where the money is spent will be critical. It is not enough to simply fund further technical solutions, such as encryption.
'It is the people who are often the 'weakest link', with 50 per cent of respondents citing awareness within their organisation as the most significant challenge to information security. Businesses must work with information security to develop training and awareness programmes and to adopt more sophisticated testing techniques.'
This article was first published in The Business Times on October 17, 2008.
