Take The Longer Term View - Consumer Business Security Survey 2009

Foreword

Despite the economic climate negatively impacting Consumer

Business (CB) organisations, security issues remain high on the

agenda. In what may be a rare piece of good news for the industry

this year, we have seen real improvement in several areas of

security over the past twelve months – a recognition

perhaps that media coverage on data loss incidents still has the

attention of senior management.

The second edition of Deloitte's annual Consumer Business

Security Survey allows companies in the industry to understand

current security issues and provide a benchmark to their peers.

There are a number of reasons why security is critical to CB

organisations:

Consumers trust retailers with a considerable volume of

personal and financial data. They expect CB organisations to

protect their data to the same standard as a bank. When companies

breach that trust, the effects can be devastating to the brand.

Retailers cannot afford to lose any custom in the current

market.

Many organisations are heavily focussed on reducing costs and

improving liquidity. Poor quality data generates considerable

inefficiencies in processing and impacts on the accuracy of

management information. With data volumes rising by 50% per year*,

the data is there in abundance – but management don't

trust it and struggle to derive value from it

Third parties form a core part of any supply chain, and now

have increasing responsibility for handling and processing

sensitive data. Understanding the risks associated with third

parties and managing these effectively, whether that be in

maintaining continuity of supply or protecting confidential data,

is critical. Organisations have started to consider these risks

more formally, but few currently assess the effectiveness of the

controls in place around these third parties.

Deloitte's 2009 Consumer Business Security Survey identified

the security issues and threats that are of the greatest concern to

CB companies. The survey highlights the measures businesses are

taking to avoid security breaches and ensure compliance.

Thank you for your time and participation. We hope you find the

report useful.

Mike Maddison

* Why database archiving should be part of your DBMS strategy,

quotation from a commissioned study conducted by Forrester

Consulting on behalf of Clearpace, January 2008.

About the survey

Specific interview topics included:

Governance, structure and investment

Strategy and initiatives

Threats, vulnerabilities and impacts

Incident detection and management

Technologies

Training and awareness

Third parties

Business continuity planning

Data quality

Compliance

Deloitte undertook a survey in the UK to help CB companies

benchmark their security practices against their peers. Data was

collected through discussions between Deloitte's CB security

specialists and security management from consumer business

companies. This second annual edition of the survey saw a

significant increase in responses, with the involvement of some of

the UK's largest retailers and consumer goods businesses.

This year's survey has again crossed borders to include

responses from three Swiss businesses. Respondents were typically:

Chief Information Security Officers (CISO), Information Security

Managers, Chief Security Officers (CSO) or IT Directors. Retailers

made up 48% of respondents and consumer goods businesses 35%, with

the remaining 17% of surveys completed by businesses operating in

the business service sector.

Key findings

Over half of the companies interviewed have experienced project

cuts as a result of the economic downturn.

91% of consumer businesses have experienced at least one

information security breach in the last 12 months, a 27% increase

on last year.

48% of CB companies anticipate that social engineering will be

a major threat to security in 2009.

96% of consumer businesses have third parties with access to

their customer data.

57% do not carry out periodic security assessments once third

parties have been engaged.

74% of companies do not hav e a defined information security

training and awareness programme.

43% of CB companies have a formally defined information

security strategy, compared with 20% last year.

Top five threats envisaged in 2009:

Social engineering

Theft or leakage of internal data

Employee misconduct

Virus/worm outbreaks

Weak passwords

Top five security initiatives:

Regulatory compliance

Data leakage

Reporting and measurement

Infrastructure improvement

Governance

The general state of security

The need for diligent security practice has never been greater

than during this time of increased economic uncertainty. The CB

Sector has been hit particularly hard, with slowed growth,

decreasing profits and an increasing number of high-profile

insolvencies. The results of the survey show that while relative

investment in security is expected to maintain an upwards trend,

the immediate effects of the economic downturn are putting pressure

on security and technology budgets.

The impact of the economy on security budgets has the potential

to negatively affect security and compliance initiatives over the

coming year. 55% of respondents have experienced project cuts as a

direct result of the credit crunch and 30% expect budget cuts in

2009. When asked about plans to fulfil PCI DSS* compliance, 79% of

respondents processing card payments said that they have started

programmes to do this. With 45% of companies planning to meet PCI

requirements and estimating spending in excess of £1

million**, any budget and project cuts are likely to cause delays

in achieving compliance.

The focus of our 2007 CB security survey*** report was the

tactical (rather than strategic) approach that businesses were

taking to information security. This year's results indicate

that businesses are beginning to trend toward a more strategic

approach to security with 43% having a formally documented

information security strategy, compared to...