Ernst & Young identifies threats to Middle Eastern companies' information security

"Organisations across the Middle-East and around the world are failing to safeguard against increasingly potent threats to the security of their information. We have found that the primary issue in ensuring the security of corporate information is the lack of in-depth involvement on the part of senior management in addressing the risks posed to their companies' information security by their own employees", said Mr. Edward Quinlan, UAE Country Partner - Ernst & Young.

Mr. Quinlan was referring to the findings of the Global Information Security Survey for 2004 conducted by Ernst & Young, the world's leading professional assurance and advisory service firm. The results of the survey showed an alarming state of affairs in corporate information security, and has led Ernst & Young to warn CEOs in the UAE and the Middle East against complacency, and urge them to step up efforts to safeguard their information security, especially from employees who have a lack of training and awareness.

Mr. Quinlan added that it came as a surprise to find that this knowledge has not been acted on by more than 70 percent of the 1,233 organisations, representing some of the leading companies in 51 countries, who participated in the survey.

The results of the Global Information Security Survey 2004 showed that there was a well defined need for drawing up and implementing effective controls based on potential risks and fostering a security-conscious culture, led by Senior Management, alongside Ernst & Young's professional advisors who are equipped to address and resolve such issues.

Ernst & Young has been present in the Middle East since 1923 and has vast experience in providing Professional Advisory Services ranging from IT Risk & Security, Human Capital, Assurance, Tax, and Transaction Advisory Services.

Mr. Meraj Ahmed, Ernst & Young's Technology & Security Risk Services Partner for the Middle East, stated that CEOs must take serious note of threats posed by security lapses, caused by human error, and take necessary precautions to prevent a possible breach before they occur. "Organisations, ironically, depend on human awareness to prevent most security breaches, especially internal incidents. Unfortunately, good information security practices are not second nature to most employees or how else can one explain the number of individuals who open an e-mail from a complete stranger with a subject line of 'I LOVE YOU' only to find an unpleasant virus".

The Ernst & Young Survey indicated that organisations remain comfortable with implementing procedures to protect themselves from external threats such as viruses but it also showed that internal threats are consistently under-emphasised, and therefore, not monitored. Companies will readily commit to technology purchases such as firewalls and virus protection to ward off external threats, but are hesitant to assign equal priority to threats from within.

Mr. Ahmed further stated that: "No amount of technology can reduce the human dimension in protecting information. Worldwide, senior management need to recognise the importance of information security and that persistent gaps continue to exist in the amount of diligence and resources that are deployed in security awareness and training for employees. Based on our findings, we remain of the view that much more can be done to transform an organisation's weakest link - people - into its strongest layer of defence".

One third of the companies surveyed admitted to outsourcing their information technology operations and over a third of these organisations answered that they did not conduct regular assessments of their IT providers to monitor for compliance with information security policies. This means that it is even more difficult for senior management to comprehend the level of risk to which they are exposed. In today's business environment, companies can easily outsource their work, but they cannot and should not presume to outsource responsibility for its security.

The survey also revealed;
• 91% of companies surveyed thought information security very important or somewhat important for achieving the organisations' overall business goals and objectives.
• No more than 24% gave their information security department the highest rating in meeting the needs of the organisation.
• Globally 70% of the respondents' board of directors failed to receive a quarterly report about the organisations information security status and 47% did not communicate with their user population on a regular basis.
• Less than 50% agreed that they could continue business operations in the event of a serious disruption.