Deloitte TMT Global Security Study latest study reveals that companies are starting to recognize information security to be a fundamental business issue; with companies increasingly focused on cyber resilience, not just security.
The big question for companies has always been what to do next to manage growing security threats and new technologies while finding ways to maintain and strengthen security in a hyper-connected world where third parties and digital supply chains are an integral part of the business models.
Deloitte’s annual worldwide study of information security practices in Technology, Media, and Telecommunications (TMT) is based on interviews with more than 120 security executives of TMT organizations from 38 countries; and reveals a shift:
- This year the top security initiative for TMT organizations is security strategy and roadmap (where regulatory compliance was the top initiative last year)
- The top concerns for TMT organizations are third party security risks and employee awareness
The survey results suggests that TMT organizations should also invest in information security training and awareness for their employees to help mitigate risks from new technologies.
“The question is not if you will be attacked: the question is when and how you will respond,” said Santino Saguto, partner in charge for the Telecommunications, Media and Technology (TMT) industry, Deloitte Middle East.
“Effective management of information security risks requires a robust combination of prevention, early detection, and rapid response. Being cyber resilient is just as, or even more, important than being cyber secure alone.”
Other major highlights of the study:
– The Top 3 security initiatives for 2013 are:
- Information security strategy and roadmap
- Information security training and awareness and
- mobile security.
– Only 50% of the companies surveyed have security response plans in place
– 48% of the companies surveyed offer general security-related training
– 49% of the companies surveyed say lack of budget is the biggest barrier to improving information security
Partnering for cyber resilience
Additionally, results of the study suggest overconfidence in protection against external threats, with 88 percent of executives not viewing their company as vulnerable. However, when pressed further, more than half of the executives acknowledged experiencing a security threat in the last year (59%). Further, less than half of survey respondents reported having a response plan in place to address a security breach and only 30 percent believe third-parties are shouldering enough responsibility for cyber security.
“Every organization is vulnerable and 100 percent prevention does not exist. To help prevent attacks, detection and response are necessary. Ultimately, the public and private sector need to engage in a deeper collaboration in 2013 across all TMT sectors to develop a more robust response effort,” said Saguto. “Organizations should not only work with their third-party business partners to understand and improve their security practices, they should also engage policymakers, regulators and enforcement agencies and be willing to share their sensitive information to help address the global issue of cyber risk.”
Other major threats identified by respondents include advanced persistent threats (64%) and hacktivism (63%), new to this survey, which combines social or political activism with hacking. While more than half of those surveyed gather general intelligence information, only 39% gather information about targeted attacks specific to their organization, industry, brand or customers.
People, technology and mobile devices
According to the survey, innovations in technology and the people using these technologies also rank as one of the biggest threats, with 70% listing their employees’ lack of security awareness as an “average” or “high” vulnerability. Employees without sufficient awareness of security issues may put an organization at risk by talking about work in public, responding to phishing emails, admitting unauthorized people into the organization’s facilities. The increased usage of mobile devices is also perceived as a high threat to organizations, with 74% of those surveyed identifying it as a top vulnerability.
Additionally, the study finds that new technologies exacerbate the problem. While they can provide powerful new capabilities that may benefit the business, they also introduce new security risks at a faster pace than many organizations can handle. Seventy-four percent of the executives ranked the mobile and bring-your-own-device technology trend as a continued concern but only half of the organizations surveyed indicated that they have specific policies for mobile devices in place.