SA companies are lagging their peers elsewhere in the world when it comes to dealing with information security. They are responding to problems as they happen rather than executing on coherent plans, though the situation is gradually improving.

That’s a key finding of PricewaterhouseCoopers’ 2012 Global State of Information Security Survey, unveiled in Thursday. The survey has been conducted for the last 14 years and this year’s report had more than 10 000 respondents.

It finds most executives worldwide are confident in the effectiveness of their information security practices. However, the number of security “events” is up and expenditure crucial to early prevention and agile response are more likely to be deferred or cancelled than at any time since 2008.

Kris Budnik, director of the security practice at PricewaterhouseCoopers, says the frequency and complexity of attacks are increasing. There is also an increased chance of fraud in poor economic times.

The survey had a mixed bag of respondents, including CEOs, chief financial officers, chief information officers, chief information security officers and vice-presidents and directors of information security. Almost half of the respondents work directly in information security and most of the responses came from technology and financial services companies.

Half of the respondents were from the Americas, a third come from Europe, a fifth from Asia and about 3% from the Middle East and Africa.

Nearly half (43%) of respondents say their organisations are front runners in information security strategy and execution. Budnik says many SA companies are behind in this regard and are still responding to problems as they happen, or strategising about security without being able to execute plans.

Spending on information security is being motivated mainly by client requirements, then legal or regulatory requirements, and thirdly by what the report calls “professional judgment” as in the case of companies that have recently appointed individuals to handle security concerns.

Further motivations include offsetting potential liability or exposure, or because it has become standard industry practice and companies are feeling the need to keep up.

In terms of what sort of information companies deem most important, respondents ranked customer information as most crucial, followed by financial data, intellectual property and trade secrets, corporate information, and finally employee information.

“A few years ago almost half of survey respondents couldn’t answer questions about cyber crimes and security-related breaches. Now almost 80% of respondents can answer those sorts of questions. There’s a greater awareness about the frequency and types of incidents,” says Budnik.

According to the report, most security spending goes to malicious code-detection tools, Web content filters, intrusion detection tools and secure browsers.

Also, Budnik says fewer background checks are being conducted on new employees and, bizarrely, while third parties increase the risk to companies’ security, less is being done to vet them and ensure they comply with security policies.

The report says fewer than half of respondents have implemented safeguards to protect the enterprise from the security hazards that mobile devices and social media can introduce. Budnik says too little is being said about the benefits of such devices.

He says almost half of US college attendees said in a recent survey they wouldn’t consider working for a company that blocks social media. He says companies are concerned about productivity, but that “people will find other ways to waste time. It’s not about stopping social media, but about leveraging it.”

Four out of 10 respondents say their organisation uses cloud services — and 54% of those that do say the cloud has improved their information security. The greatest risks associated with cloud computing? An uncertain ability to enforce provider security policies and inadequate training and IT auditing are top concerns.

Budnik says the key message to take from the report is that although there is value in being a leader in the security space, “we need to be aware of emerging threats — or better, emerging opportunities — such as cloud computing, and that these can actually make businesses more secure if handled correctly.”

He says the biggest improvement companies can make to their information security is to educate their employees correctly. He says this, combined with more thorough vetting processes and access controls, is a fairly simple way to improve security in a short space of time. — Craig Wilson, TechCentral