UK public sector organisations are losing ground to those in many of their major overseas trading partners when it comes to protecting and securing data, says a new survey of more than 7,000 information security professionals across the globe.
Some 49% of respondents polled in the 7th annual Global State of Information Security Survey, carried out in conjunction with CIO and CSO magazines, did not know how many security incidents their organisations had experienced over the last 12 months, compared to only 7% in China.
Only 37% of UK respondents said their organisation had an accurate inventory of where sensitive data was stored. Just 37% said they employ a Chief Information Security Officer, only 47% have a disaster recovery plan; both figures are significantly higher in the US.
Globally, 12% of respondents believe spending on information security will be cut over the next 12 months, up from 5% last year. But 63% believe that spending will stay the same or increase, providing some evidence that information security budgets are safe, for now.
William Beer, director, One Security practice, PricewaterhouseCoopers LLP, said the recession means all budgets are under pressure but many companies know that now is not the time to slash their security spend.
There are a host of new and emerging threats that range from complex malware to attacks from cyber-criminals and e-espionage, all of which can result in material loss and reputational damage.
Beer added: We are also aware that, at a senior level, the UK is anxious about moving to digital business models, where core information assets, such as customer data and intellectual property, may be shared with business partners and outsourced suppliers, often in other countries. This adds another dimension to the risks involved.
Other findings from the global survey show that 40% of respondents believe that threats to the security of their companies information has increased over the last year and, of those, a similar proportion say risks have increased due to employee lay-offs as a result of the economic recession.
The list of new investments in the information security area is topped by the increasing use of biometrics, especially in China, where 69% of respondents reported they were used to protect information, compared to just 22% in the UK.
Another new trend is the growth in the number of employees accessing social networks from work and the risks this behaviour brings with it. 40% report that their organisations have security technologies that support Web 2.0 exchanges such as social networks, blogs and wikis. In addition, approximately one third audit and monitor networking postings to external blogs or social networking sites, while 23% have security policies to address this.
When asked what they thought were the biggest priorities to continue meeting their security objectives, respondents highlighted the need for an increased focus on data protection and a more intelligent prioritisation of security investments based on risk.
Jon Hayton, a director in PwCs forensic investigations team, said: The findings from this survey match what we are hearing from our clients in the UK. It is good news that companies have chosen not to slash security budgets. Good security practice needs to be embedded into the DNA of a business, not bolted on as an afterthought. Unfortunately there are many organisations where this is still the case.
This makes their security performance very fragile. When it goes, it can go very quickly. I have seen good security practices fall apart in months."