The poll investigated perceived threats to information security and how businesses are responding. It found that despite taking measures to combat the risks, 37% of businesses still see employees as biggest threat to information security, ranking the insider threat, higher than cyber-attacks (19%) and BYOD (15%).
In order to reduce the risk to their business, over half (52%) have implemented an internal information security policy, 47% have provided staff training and 63% are either certified (29%) or operating in compliance (34%) with ISO 27001, the international Information Security Management System Standard. A further 23% indicated they were looking to certify in the immediate future.
However, confidence in security measures to protect against risks is relatively low with under half (46%) stating they are confident in the measures their firm has taken. One in ten are not confident at all, yet unsurprisingly in organizations that are certified to ISO 27001 the levels of confidence in security measures rise to 78%.
“It’s no surprise to see insider threats as the biggest risk to information security as employees will always be the one thing that cannot be controlled,” said Suzanne Fribbins, Risk Management Expert at BSI. “Employees don't necessarily have to be malicious to put a company at risk; they may just not understand the possible risks associated with their actions. Research has shown that effective staff training can halve the number of insider breaches*, by ensuring employees understand the importance of information security and their role in protecting businesses critical information.”
Commitment from senior management is essential if an organization is to manage information security effectively. Encouragingly, 73% of respondents believe senior management is dedicated to information security. But 54% do not feel the necessary resources are allocated to it, despite this being one of the key ways in which top management can demonstrate its commitment to protecting the confidentiality, integrity and availability of information. ”In order for an information security management system to be effective, adequate resources have to be allocated, and roles and responsibilities for information security need to be clearly defined,” explained Fribbins.
Fribbins continued: “We have found organizations that implement ISO 27001 can better identify threats to their information security and put in place appropriate controls to manage and reduce risks. This was supported by the research findings with 58% of respondents seeing this as the greatest benefit, followed by the improved ability to meet customer/tender requirements (41%), achieving consistency of approach (41%) and improved information security awareness (30%).”
Interestingly, the poll found that over three quarters (77%) of organizations are increasingly being asked for ISO 27001 as a customer requirement when bidding for new business. “ISO 27001 is increasingly becoming a ‘ticket to play’ and an investment that delivers true business benefits,” added Fribbins.