The authors of Executive Insights have been invited by this magazine to offer their professional opinions and analysis to you, the reader. Executive magazine does not endorse the analysis of Insight authors, nor should the Insights be interpreted as reflecting the views or opinions of Executive or its editorial staff.
The current global economic downturn has not deterred some organizations from increasing budget allocations for information security. The issue is still a top priority with business leaders, although there are some key areas which still demand greater attention in terms of protecting the overall security and reputation of an organization.
Ernst & Young’s Global Information Security Survey 2008 canvassed nearly 1,400 senior executives from more than 50 countries around the world. The survey shed some light on the corporate strategy of organizations and specific areas that demand immediate attention. From the Middle East region, more than 100 executives participated in the survey.
The role of information technology in information security
Information security is closely linked to the information technology functions of an organization. Historically, IT is the first to feel the pressure of an economic downturn. Despite tightening economies, the survey indicates that organizations are increasing investments in information security and more organizations are adopting international security standards.
Even with an economic downturn facing some of the world’s largest economies, 50 percent of respondents said their budgets are set to increase. Only five percent plan to decrease their budgets. These are positive signs indicating that organizations recognize cutting back security would have an adverse effect on stakeholder perceptions, especially because security threats and attacks normally increase during an economic downturn.
Organizations are starting to think of technology along with the traditional themes of finance and human capital to de-risk their operations, which is encouraging.
Security breaches damage brand
In September 2008, the media wrote that some of the major banks in the UAE had warned hundreds of thousands of customers that their accounts may have been compromised and urged them to change their personal identification numbers immediately. The warning came after a large-scale card fraud by international gangs was unearthed, in which huge sums were wiped from customers’ accounts.
Another story referred to a card network warning banks that the security of some debit and credit cards was compromised. This led to the cancellation of many cards and an inconvenience to customers. Banks also blocked international transactions for a few days causing payment delays.
These are classic examples of a breach of information security where customer data was stolen with the purpose of making fraudulent transactions. Well-known brands all over the world have fallen victim to such misuse of identity by fraudsters and have had to spend millions of dollars to resolve resulting issues. These incidents draw attention to the crucial role played by information security in protecting an organization’s business, its customer confidence and its brand.
The results of Ernst & Young’s survey show that a growing number of organizations now recognize the vital link between information security and strong brand reputation. Most respondents believe that a security incident would have a greater impact on reputation and brand than on revenues. Some 85 percent cited damage to brand reputation as significant, compared with 72 percent for loss of revenues. A single security incident can damage or even destroy consumer conidence in a brand, which takes years to build. The media attention surrounding security breaches emphasizes how much damage can be done to a firm’s reputation.
Third party threats on rise
Investments in technology are of little value unless employees are trained on what to do and how to do it. Organizational awareness was cited by 50 percent of respondents as the most significant challenge to information security. The survey shows awareness is more significant than the availability of resources (48 percent), adequate budget (33 percent) and addressing new threats and vulnerabilities (33 percent). Mere increase of the expenditure on technical solutions will not help organizations achieve the desired results, as people are often the weakest link.
However, the use of third parties and outsourcers is on the rise, increasing the risk of information security breaches. Organizations are taking significant steps to safeguard information, but this practice still runs many risks. Only 45 percent of respondents said specific information security requirements are included in third party contracts — this requires immediate redress.
Although most respondents cited various measures organizations adopt to ensure their external partners, vendors and contractors protect their sensitive information. Almost one third said that they do not review or assess how contractors are protecting their information, which is quite alarming.
Directions for information security function
A clear understanding of information security is essential for its efficient implementation. As technology evolves, so does risk. Effective information security will help businesses improve the competitive advantage of their operations, make these operations more cost-efficient and reduce risks.
Ernst & Young’s survey shows that many organizations are still struggling to achieve a strategic view of information security. Only 18 percent indicated that it is integrated into the business strategy, and 29 percent have no information security strategy at all.
Reliance on technology continues to grow around the world and our region is no exception. Even as organizations adopt innovative methods to process and exchange information, threats to information security from various quarters, both regional as well as international, are on the rise.
Although regional awareness is increasingly transcending mere compliance and regulatory norms, there are still crucial areas that businesses need to pay greater attention to and invest in, such as insider threats, privacy and third party relationships. Organizations need to constantly evolve their security strategy according to changing times. As the saying goes, prevention is better than cure.
Waddah Salah is partner in Ernst & Young Middle East and the head of technology enabling solutions and enterprise solutions in the Business Consulting Group