Nation falling short on IT security: survey

Need for better information safety becomes urgent, Ernst & Young says

Most organizations in China have failed to meet ever-growing challenges to information security, even though they have taken some steps to improve the situation, an Ernst & Young survey has found.

The need for better information security has become quite urgent in China, especially after the exposure of the United States' program known as PRISM, a clandestine Internet and telecom surveillance system operated by the US National Security Agency.

Meanwhile, in early July, the National Business Daily, a Chinese newspaper, revealed that hackers could easily get access to confidential account information residing on major securities firms' systems, through certain software developed by Qihoo 360 Technology Co Ltd.

"Information security challenges, such as hacker attacks, are becoming severe," said Keith Yuen, EY China Advisory partner, at a Beijing news conference on Tuesday.

"Unless organizations transform their information security functions, few of them can keep up with the ever-changing risk landscape."

With escalating information security threats and increased information security incidents, organizations should recognize the risk environment is changing, the EY Global Information Security Survey said.

The EY survey covered 1,836 interviewees across 64 countries between May and July 2012.

Despite corporate security upgrades, the pace of external threats has picked up speed, the survey said. In 2009, 41 percent of respondents noticed an increase in external attacks. By 2011, that number had leaped to 72 percent, and it rose further to 77 percent in 2012.

Examples of external threats include hacking, espionage, organized crime and terrorism.

New technologies have opened up tremendous opportunities for organizations but have also created potential threats.

Cloud computing is one of the main drivers of the business model innovation. Over the past two years, the number of organizations using cloud-computing services has doubled.

However, 38 percent of respondents to the survey indicated that their organizations have not taken measures to mitigate risks, such as not exercising stronger oversight over the contract management process for cloud-service providers nor using encryption techniques.

In the new area of social media, the survey found that it can quickly build an organization's brand and expand its presence, and it can just as quickly crush it.

Challenges include data security, privacy concerns, regulatory and compliance requirements and the impact on productivity.

"Short-term incremental changes and bolt-on solutions are not sufficient," said Yumin Lin, EY China advisory director.

"By fundamentally transforming their information security management strategy, organizations can respond effectively to existing security threats, as well as to security risks arising from emerging technologies," Lin said.

However, about 63 percent of respondents indicated that their organizations have no formal security architecture framework in place, while only 16 percent of respondents claim their information security functions do meet their business needs.