Take The Longer Term View - Consumer Business Security Survey 2009
Foreword
Despite the economic climate negatively impacting Consumer
Business (CB) organisations, security issues remain high on the
agenda. In what may be a rare piece of good news for the industry
this year, we have seen real improvement in several areas of
security over the past twelve months – a recognition
perhaps that media coverage on data loss incidents still has the
attention of senior management.
The second edition of Deloitte's annual Consumer Business
Security Survey allows companies in the industry to understand
current security issues and provide a benchmark to their peers.
There are a number of reasons why security is critical to CB
organisations:
Consumers trust retailers with a considerable volume of
personal and financial data. They expect CB organisations to
protect their data to the same standard as a bank. When companies
breach that trust, the effects can be devastating to the brand.
Retailers cannot afford to lose any custom in the current
market.
Many organisations are heavily focussed on reducing costs and
improving liquidity. Poor quality data generates considerable
inefficiencies in processing and impacts on the accuracy of
management information. With data volumes rising by 50% per year*,
the data is there in abundance – but management don't
trust it and struggle to derive value from it
Third parties form a core part of any supply chain, and now
have increasing responsibility for handling and processing
sensitive data. Understanding the risks associated with third
parties and managing these effectively, whether that be in
maintaining continuity of supply or protecting confidential data,
is critical. Organisations have started to consider these risks
more formally, but few currently assess the effectiveness of the
controls in place around these third parties.
Deloitte's 2009 Consumer Business Security Survey identified
the security issues and threats that are of the greatest concern to
CB companies. The survey highlights the measures businesses are
taking to avoid security breaches and ensure compliance.
Thank you for your time and participation. We hope you find the
report useful.
Mike Maddison
* Why database archiving should be part of your DBMS strategy,
quotation from a commissioned study conducted by Forrester
Consulting on behalf of Clearpace, January 2008.
About the survey
Specific interview topics included:
Governance, structure and investment
Strategy and initiatives
Threats, vulnerabilities and impacts
Incident detection and management
Technologies
Training and awareness
Third parties
Business continuity planning
Data quality
Compliance
Deloitte undertook a survey in the UK to help CB companies
benchmark their security practices against their peers. Data was
collected through discussions between Deloitte's CB security
specialists and security management from consumer business
companies. This second annual edition of the survey saw a
significant increase in responses, with the involvement of some of
the UK's largest retailers and consumer goods businesses.
This year's survey has again crossed borders to include
responses from three Swiss businesses. Respondents were typically:
Chief Information Security Officers (CISO), Information Security
Managers, Chief Security Officers (CSO) or IT Directors. Retailers
made up 48% of respondents and consumer goods businesses 35%, with
the remaining 17% of surveys completed by businesses operating in
the business service sector.
Key findings
Over half of the companies interviewed have experienced project
cuts as a result of the economic downturn.
91% of consumer businesses have experienced at least one
information security breach in the last 12 months, a 27% increase
on last year.
48% of CB companies anticipate that social engineering will be
a major threat to security in 2009.
96% of consumer businesses have third parties with access to
their customer data.
57% do not carry out periodic security assessments once third
parties have been engaged.
74% of companies do not hav e a defined information security
training and awareness programme.
43% of CB companies have a formally defined information
security strategy, compared with 20% last year.
Top five threats envisaged in 2009:
Social engineering
Theft or leakage of internal data
Employee misconduct
Virus/worm outbreaks
Weak passwords
Top five security initiatives:
Regulatory compliance
Data leakage
Reporting and measurement
Infrastructure improvement
Governance
The general state of security
The need for diligent security practice has never been greater
than during this time of increased economic uncertainty. The CB
Sector has been hit particularly hard, with slowed growth,
decreasing profits and an increasing number of high-profile
insolvencies. The results of the survey show that while relative
investment in security is expected to maintain an upwards trend,
the immediate effects of the economic downturn are putting pressure
on security and technology budgets.
The impact of the economy on security budgets has the potential
to negatively affect security and compliance initiatives over the
coming year. 55% of respondents have experienced project cuts as a
direct result of the credit crunch and 30% expect budget cuts in
2009. When asked about plans to fulfil PCI DSS* compliance, 79% of
respondents processing card payments said that they have started
programmes to do this. With 45% of companies planning to meet PCI
requirements and estimating spending in excess of £1
million**, any budget and project cuts are likely to cause delays
in achieving compliance.
The focus of our 2007 CB security survey*** report was the
tactical (rather than strategic) approach that businesses were
taking to information security. This year's results indicate
that businesses are beginning to trend toward a more strategic
approach to security with 43% having a formally documented
information security strategy, compared to...
To continue reading
Request your trial