There is an increased focus on mobile security architecture and the risks inherent in transportable media. Many more companies are encrypting laptops, and other peripherals. New security technologies across virtually every security domain, from prevention to detection, have been implemented in 2008.

This is one of the key findings of the latest Global State of Information Security 2008, a worldwide security survey by PricewaterhouseCoopers, CIO Magazine and CSO Magazine.

The survey was conducted online from March 25 to June 26, 2008. Readers of CIO and CSO Magazines and clients of PricewaterhouseCoopers from around the globe were invited via e-mail to take the survey. The results are based on the responses of more than 7,000 CEOs, CFOs, CIOs, CSOs, vice presidents and directors of information technology and information security from 119 countries, including Malta.

Respondents report significant gains in adopting security standards and procedures for handheld/portable devices such as flash drives (44 per cent in 2008 vs 31 per cent in 2007) - as well as for cellular and wireless systems (43 per cent vs 32 per cent). And, asked about whether they were feeling confident about the effectiveness of their information security practices, most (85 per cent) technology respondents agreed that, at some level, they were.

"Why the enthusiasm? Other survey results present a clue," explained the survey. "The sector reports huge strides in implementing new technologies across many critical security domains - from prevention to detection - capabilities that include, for example, content filters (67 per cent vs 46 per cent in 2007), website certification/accreditation (60 per cent vs 49 per cent), and tools to discover unauthorized devices (58 per cent vs 43 per cent). Here's the hitch: extracting value from all this new technology, of course, requires equally robust commitments to critical supporting processes - and the people that run them. Yet just 62 per cent of all sector respondents say they have an overall information security strategy and barely half (54 per cent) say their firm engages both business and IT executives in addressing information security."

Furthermore, the acute focus on technology over the last year has not been matched by an equally robust commitment to other critical drivers of security's value, such as many of the critical business and security processes that support technology, and the people who administer them.

The survey comes to the conclusion that in general the big strategic steps forward didn't happen this year. "They happened last year, in 2007 - when respondents reported, for example, 17-to-20 point gains in appointing a senior information security executive and establishing an overall information security strategy. So the question we most wanted to answer this year was - with new leadership and a plan in place - exactly where the investment emphasis was placed in 2008? The answer is technology. This year, across industries, countries and regions, business models and company sizes, respondents report double-digit advances in implementing new security technologies across virtually every security domain, from prevention to detection."

Although both business and security priorities vary widely, this year's responses reveal that, in general, the clearest and most promising opportunities to safeguard sensitive information are concentrated in five areas: improving privacy protections; getting better control over access; strengthening the security that enables sourcing, alliances, and other collaborative networks; using people and process to take full advantage of data loss prevention (DLP) technologies; and taking a risk-based approach to compliance with regulations and standards ranging from Sarbanes Oxley and the European Union Data Protection Directive to the global payment card industry's (PCI) data security standards.

In terms of access control, key processes lag behind technical advances. This year, technology respondents were much less likely to view employees as the probable source of a security incident (29 per cent vs 43 per cent in 2007). And small wonder - given that more report now using a centralised user data store (56 per cent vs 46 per cent), automated account de-provisioning (32 per cent vs 26 per cent), and reduced/single sign-on software (38 per cent vs 33 per cent). But key processes have not been widely adopted. For example, only 39 per cent of technology respondents say their organisation has implemented tiered authentication levels based on user risk classifications - and just under half have policies on application security segregation-of-duties (46 per cent).

Where intellectual property and other data protection is concerned, critical gaps help strengthen the business case rationale for data centre initiatives. The good news is that the sector has made significant gains in encrypting data - not just in laptops (55 per cent vs 43 per cent) but also in databases (61 per cent vs 53 per cent), file shares (60 per cent vs 43 per cent), backup tapes (50 per cent vs 40 per cent) and removable media (45 per cent vs 34 per cent).

"The shadow story here, of course, is that four to five out of every 10 sector firms haven't yet done so," the survey warned. At the same time, fully 65 per cent of technology respondents report that their organisation does not have an accurate inventory of where personal data for employees and customers is collected, transmitted and stored.

Only a minority of sector respondents say their firm conducts due diligence of third parties handling personal health information (27 per cent), and even fewer have an inventory of these parties at hand (24 per cent). This is a crucial issue because, as regulators have made clear, the ultimate responsibility for sharing information can rarely be passed on to third-party vendors.

This year, breaches resulted in significant impacts - such as financial losses (37 per cent), theft of intellectual property (30 per cent) and compromises to corporate brand or reputation (28 per cent).

"These figures, however, probably understate the true costs of security lapses. Why? Asked about what types of security incidents occurred this year, 43 per cent of sector respondents didn't know. Asked about the likely source, another 42 per cent weren't sure. Better measurement would help: only 54 per cent of sector respondents say their organisation has both measured and reviewed the effectiveness of information security in the past year."

The full results of the Global State of Information Security 2008 are available at http://www.pwc.com.


Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.