![Default Article Featured Image_laptop-newspaper-global-article-090623[95].jpg](https://images.contentstack.io/v3/assets/bltd4dd5b2d705252bc/blt61f52659e86e1227/64ff207a8606a815d1c86182/laptop-newspaper-global-article-090623[95].jpg?width=3840&quality=75&format=pjpg&auto=webp)
Improving information security risk management and data leakage prevention (DLP) are the top two priorities for the year ahead, according to Ernst & Young’s 12th annual global information security survey. Compiled from the responses of information security professionals from nearly 1,900 organizations based in locations across the globe, the survey also lists regulatory compliance as a key goal among respondents. However, the report states, “too few organizations have taken the necessary steps to protect personal information.”
The survey shows that while “authorized users and employees pose the greatest security threat to an organization” and the majority of respondents do have security awareness programs in place, less than half—44 percent—of those programs include updates and alerts on current threats, while 42 percent provide informational updates on key new topics and 35 percent present specific awareness activities for “high-risk groups such as social networking users.”
According to the survey:
- 68 percent of respondents understand privacy laws and regulations
- 63 percent “include privacy requirements in contracts with external partners, vendors, and contractors'
- 59 percent have implemented specific controls to protect personal information
However, when it comes to personal information, the report points out that:
- 32 percent of respondents have produced an inventory of information assets covered by privacy requirements
- 29 percent have implemented a process to monitor and maintain privacy controls
- 26 percent have conducted assessments of the life cycle of their personal data
While 50 percent of respondents are at some stage of the evaluation and implementation process for DLP security technology, the survey also shows areas of concern. “One of the most noteworthy survey findings is how few companies are encrypting their laptops,” the report states, with only 41 percent of respondents currently using encryption and 17 percent planning to do so within the next year. The report points out that many breaches have occurred and continue to occur due to the loss or theft of laptop computers. “The technology is readily available and affordable to implement,” the report states, while having a “relatively low” impact on users as it is put into place.
The study shows 78 percent of respondents are planning to implement virtualization by the end of the next year; however, just 19 percent of those responding organizations listed virtualization as a security priority. “Clearly, our survey respondents do not recognize the same level of risk with virtualization as would be expected with such significant and extensive change effort,” the report states. “More alarming is the fact that virtualization security should be a concern, but the majority of organizations and security leaders are ignoring its implications.”
Cloud computing does not have as much push yet as virtualization, according to the responses, with only 17 percent indicating they now use the technology or plan to do so within the next year.
“Coupled with the opportunities and promise of cloud computing are elements of risk and management complexity. There are many challenges regarding types of cloud computing and the scope of deployment that make the details not nearly so simple,” Amr Ahmed, senior manager in Ernst & Young’s Advisory Assurance practice, told
Privacy Advisor
.
Ernst & Young identifies those challenges as:
- Data management at rest and in transit—privacy, regulatory violation, legal implication, cloud contract termination
- Security vulnerability within the infrastructure—authentication, authorization, access control, cryptography, monitoring
- The threat of “Monoculture”—diversity, resiliency, disaster recovery, and business continuity
- Service-Level Agreements—whether vendors offer flexible, negotiated, customer-specific SLAs or only cookie-cutter versions
- Heterogeneous cloud computing environments—the ability to integrate with internal cloud and other (external) cloud vendors
“On the other hand, organizations that are looking to avoid these risks and improve efficiency and scalability of their infrastructure will be able to maintain in-house private cloud through the use of virtualization technology,” Ahmed noted.
When it comes to putting information security initiatives into place, the survey found that the greatest challenge has to do with a lack of skilled information security resources. More than half of the respondents—56 percent—listed the lack of such resources “as a high or significant challenge,” according to the report, while budget constraints were named as another key challenge.
“Privacy and protection of personal data will become an even greater challenge for organizations as new technologies and services, such as social networking, virtualization, cloud computing, and radio-frequency identification (RFID) gain more widespread use,” the report states. “Privacy and data protection will also likely gain increased focus of governments and regulators as they attempt to keep privacy regulations out in front of the potential risks associated with these new technologies.”
Access the full report
.
