IT security pros working in the technology, telecommunications, media and entertainment industries say they're confident they can handle external security threats, but nearly half lack a formal security strategy, according to a new survey.
The Deloitte survey of more than 100 organisations found that security pros within these industries may be overconfident when it comes to their security footing, said Rena Mears, Deloitte's global privacy and data protection leader, who helped conduct the survey.
"Technology and media companies tend to be on the cutting edge when it comes to implementing different kinds of technologies and integrating them in a business model," Mears said. "But when you're talking about security you're talking about very often limiting access and sometimes restricting creativity and that goes against the grain of an open and creative culture."
Most organisations need to begin by understanding the data they are trying to protect. Security should be introduced as a value proposition so employees understand the value of protecting intellectual property, Mears said.
The survey found that 46% of companies surveyed failed to have a formal security strategy in place. Still, 69% said they are "very confident" or "extremely confident" about their organisation's effectiveness at tackling external security challenges.
"Most security people, in the last few years, are trying to catch up with what has already occurred," Mears said. "Like most industries, technology companies are in a reactive mode and the security and privacy professionals involved want to move to a proactive stance and it's very difficult to do."
One major stumbling block for many firms is defining and understanding intellectual property. Understanding the organisation's personal information is easy since it can be found as a series of data objects in company systems. Intellectual property can take many forms, from a list, a series of activities to a bucket of bits, Mears said. As a result, just 7% of companies surveyed said they believe they are prepared for future security threats.
Senior executives could be seeing security as an IT issue, Mears said. The survey found that other strategic goals may be trumping information security at the board and executive level. Only 62% of respondents believe that security is a key imperative at the board or executive level.
That thinking at the executive level is starting to change, beginning with Sarbanes Oxley in addition to new breach notification laws, and the Payment Card Industry Data Security Standards. Also rising in concern is the area of insider threats, with only 56% showing confidence in addressing employee misconduct, whether it be deliberate-a rogue employee or accidental-such as an employee error.
"There's increasing concern around the fact that authorised people can either make errors which result in a breach or you could have insiders that are actually using their credentials in order to do something inappropriate," Mears said.
The problems posed by insider threats was highlighted recently when a rogue trader allegedly carried out US$7.2 billion in fraud against French banking giant Societe Generale. The trader was a trusted insider who knew the inner workings of the company network.
"Training needs to be the answer here," Mears said. "If we want people to change their behaviour and be sensitive to improper behaviour around them, we have to focus on training. It's the biggest bang for the buck and the area where we see the least investment at the moment."