State-of-affairs of 2011 information security surveys

There are 8 online-accessible information security surveys found in 2011.

E&Y, PwC and CSI conducted their survey for exploring global cyber security situation. Carnegie Mellon University has published 2011 cybersecurity watch survey for United States, which shares the same regional focus with Ponemon Institute’s survey. (ISC)2 has released global information security workforce study and another survey from PwC focus on global economic crime. Besides these, Cisco has published 2011 annual security report. The Parliamentary Of-fice of Science and Technology in United Kingdom has released cyber security overview in UK in September 2011.

As for the survey population, E&Y has included nearly 1700 organizations in their survey across all major industries. CSI received 351 survey responds mainly from consulting, education, financial services, information technology, federal government and health services segments. PwC received more than 12,840 responses from CEOs, CIOs, CFOs and other directors in IT and security function from 135 countries. Most participants in 2011 global cyber security survey are large and small organizations.

With the recovery of global economy, more and more businesses start to adopt the digitalized globalization triggered by emerging technologies. With a significant increase in using mobile devices to carry and transfer data over the Internet among business partners, the traditional boarder of organization start to vanish, and the business world become more “borderless” and integrated.

However, such a profound effect has also brought unknown dangers to digital-ized business and significant impact on their perception of information security in this borderless environment (E&Y, 2011).

During this time, companies have witnessed a huge increase in both ex-ternal and inex-ternal security threats. According to E&Y’s survey report, 72% of respondents have seen an increased external threat. FBI reports in 2011 shows that more than 350,000 complaints of cybercrimes have been received, those have not even included unreported cases. Uscollegeresearch.org presents that 73% of United State and 65% of global Internet users have suffered victimiza-tion from cyber criminals through June 2011. Correspondingly, more than half of the respondents in E&Y’s survey will increase their investment in infor-mation security function in the following 12 months.

Although evolving technologies are coming with unprecedented benefits and opportunities, companies are required to equip themselves with a well-thought security strategy to response to changes. Based on review of 2011 cyber security survey reports, the following topics have been frequently investigated and analyzed:

- Security policies for using trending technologies in workplace (cloud, social media, BYOD)

- Information security capabilities

The connected business world requires business to have right mixture of technology and security policies in order to benefit from the combination (Cisco, 2011). The rapid adoption of mobile techniques, cloud and social media in to-day’s organizations triggered a fundamental change in information security policies. According to E&Y’s statistics, about 57% of organizations have made policy adjustments in 2011 followed by 53% that have increased their security awareness activities through the year. Since the trend of using mobile tech-niques and digital devices in workplace cannot be avoided, Cisco annual report mention that it is essential to “find a common ground” where company under-stand individuals’ needs while enforce them to comply with organizational rules in order to keep save of critical information and data.

Nowadays, an increasing number of companies start to support employ-ees-own devices instead of providing preconfiguration for them (E&Y, 2011).

This creates potential risks that employees may unknowingly make changes in those devices. Besides, mobile users may also remotely access to social media and cloud services for work purpose. This contains possibilities to put compa-ny’s data to public and thus result security in danger. Based on these situations, Cisco suggests that no matter how enterprises perceive using emerging tech-niques in business operation, it is all about “policy elements in the interaction”.

If data is secured with technical control and loss-prevention tools, and employ-ees are aware of critical security issues, it is not an endpoint for businesses.

What’s more, updating and adjusting security policies should also come along with educating and training employees about the risks associated with different devices. E&Y also suggest that organization should “perform attack and pene-tration testing on mobile apps before deployment to help reduce the organiza-tion’s risk of exposure”.

Cloud computing brought us new approach to save and backup data. The number of users of cloud computing-based services has increased slightly from 23% in 2010 to 36% in 2011 (E&Y, 2011). 9% of enterprises in Ponemon’s survey have plan to spend their most IT dollars in cloud security in following 18 months. This is understandable since cloud services are still evolving and most of potential consumers have just started to recognize its efficiencies and conven-ience. However, there is no doubt that this compelling technique will be soon adopted by fast-evolving digital business and they must fundamentally change their security policy and “appetite” of partnering with external service provid-ers in order to deploy it successfully. Cisco suggest that companies should es-tablish a classification system for the data such as “public”, “confidential” and

“high confidential” in order to be clear what information can be uploaded and shared in cloud with others. Meanwhile, choosing a reliable service provider who has strict security rules and who is critical about security issues can

signifi-cantly strengthen the data security, since they assess vulnerabilities more seri-ously than others.

Social media is an emerging way for business to connect with customers. It not only allows company to keep contact with customers but also develop busi-ness through media marketing and follow up customer feedback. However, statistics from global survey shows different situation on adopting social media.

E&Y report presents that 53% of respondents have limited access or no ac-cess to social media websites. Only 46% of companies have adjusted their secu-rity policy for this new marketing approach. Some key findings from PwC’s survey suggest that many companies are unprepared for the potential risks brought by social networking. There are only 32% of respondents in United Kingdom who have implemented some technologies for supporting Web 2.0 information exchanges such as blog, social networks, wiki and so on (PwC, 2011).

As a result, companies that are not equipped with profound understand-ing and effective adoption on social network and other Web 2.0 platforms can easily expose to cyber risks. (PwC, 2011). Besides, malware from social media has also caused security breaches in 29% of companies in Ponemon’s survey.

Because of these reasons, it is more common to see some easy way or hardline reaction towards social network than active adoption (E&Y, 2011).

Nevertheless, all these developing technologies are two-side sword. It is more important to consider how to embrace and monitor these tools in new digitalized business rather than totally avoid them. E&Y suggests that in order to fully leverage the advantages of social media, organizations may reform their perception of it and adjust the internal security policy to enforce personnel who use this technology in secured manner.

The next topic is about cyber security capabilities in combating sophisti-cated cyberattacks. No matter what size the company is, all should equip with some cyber security capabilities to keep their information away from attack.

Large organization may have structured and well-organized security depart-ment while small organization may have limited security resources and insuffi-cient spending and workforce. With complete and matured cyber security ca-pabilities, company can defend some breaches in advance and protect them against large sabotage from cyberattacks. PwC report (2011) reveals that securi-ty executives complained that their company has restrained the spending which often result on degradation of fundamental security capabilities such as em-ployee background check and use of vulnerability assessment tools. Hence, both PwC and EY report addressed that in-house cyberattack defensing and preventing capabilities are very weak among investigated companies. 60% of companies in PwC report think their in-house capabilities to prevent and detect cybercrime is adequate (PwC, 2011). Less than 4% in EY report stated they have increased funding in incidence response capability development in the follow-ing twelve months. On the government side, most of reports found focus on building nation-level defensive cyber security capability. There was no com-prehensive assessment defined for measuring cyber security capabilities

ma-turity. This shortage does not help companies to compare themselves with oth-ers nor to find their vulnerabilities. Meanwhile, decision maker also has no bet-ter way to analyze what is vulnerable inside and decide how to support the ca-pability development.