Nearly nine out of ten IT leaders in the UK believe that external security attacks are growing, according to a new survey by professional advisory Ernst & Young. That proportion has more than doubled from four in ten in 2009.
Ernst & Young’s 15th Global Information Security Survey 2012 polled 1,850 CIOs, CISOs and other IT executives from around the world.
The vast majority (88%) of UK organisations reported an increase in external attacks compared to last year, up from 72% in 2011 and up from 41% in 2009.
The survey also quizzed respondents on their views on cloud computing. Three quarters (77%) of respondents are using cloud services, while a fifth said they had taken no security measures to mitigate risk, such as using encryption or strengthening oversight on the contract management process for cloud providers.
Ernst & Young argued that the increased use of cloud computing calls for “a robust security architecture framework”. However, 64% of respondents do not have such a framework.
The company also argued that responsibility for information security should shift from the IT department to the board of directors. Of those surveyed, 61% of respondents in the UK said that companies have placed the responsibility for information security in the hands of IT, with only 11% discussing such issues at board meetings. Almost half (45%) admitted to only discussing information security issues once a year in board meetings.
When asked about the barriers to improving their security provisions, 57% said a lack of specialist skills forces their organisation to focus on short-term solutions to information security issues instead of tackling the overall threat. Over half (61%) of respondents cited budget constraints as the main obstacle to their company’s information security strategy.
Mark Brown, director of information security at Ernst & Young, said the results of the survey point to two necessary changes.
“On the one hand, businesses need to understand that information security can no longer simply be an IT issue,” he said. “They need to transform their perception of information security and make it a board sponsored topic that is eventually embedded in the core strategy of a business.”
“On the other hand, we need to look at the bigger picture – that of the lack of specialist skills,” Brown added.
“Since the late 1990s the number of UK-born graduates studying mathematics and science degrees has fallen by almost 70%. This has lead to an increasing shortage in relevant skills and has put the UK’s efforts to tackle growing cyber security risks on the back foot.”