When ignorance doesn’t bring bliss

Asian organisations will find the growing number of viruses, worms, spam, and hacking activities harder to tackle if they continue to be lax about measuring and addressing the business impact of information security threats, says Leong Khay Mun

Based on the Asia-Pacific Computer Crime And Security Survey conducted by CMP Business Media in August, an alarming number of Asian enterprises (42 percent) say they don’t know how many computer crime or security breach incidents have occurred in the last 12 months. CMP Business Media publishes Intelligent Enterprise Asia and four other IT trade magazines in Asia.

And out of the 1,853 respondents surveyed, only 22 percent reveal that they are able to quantify all or some of the losses resulting from the incidents.

This lack of awareness isn’t uncommon, according to security experts. The reason is that security is not seen as an organisational issue but an IT issue, says Christopher Lim, senior consultant, Technology and Security Risk Services with Ernst & Young.

So when top management is unaware of information security needs, there will be a misalignment of information security spending with business objectives, thereby compromising the security infrastructure even further.

This is a problem that plagues enterprises worldwide, although a comparison between US and Asia reveals that companies here have a lot more work to do when it comes to filling gaps in their information security coverage.

In fact, Asian enterprises seem to be more vulnerable to attacks. For instance, Asian respondents are experiencing a high amount of security incidents—in the 31 to 60, and over 60 ranges—when none of the US respondents have reported incidents in these ranges.

With the economy in a flux, CIOs will find it even harder to justify to the CEO or CFO why more resources need to be channelled towards security projects. Budget constrains, resource priorities, and the lack of skilled staff are in fact the top three things mentioned by companies globally when asked about the obstacles to effective information security within their organisation, reveals Lim.

To get the business folks’ buy-in, Lim suggests CIOs raise their awareness by linking security strategies with business objectives.

“This doesn’t necessary mean it’ll immediately make it easier for you to get the funds,” says Lim, but it will certainly help people understand the importance of information security better.

Only then will information security become the responsibility of everyone in the organisation, and not just the IT department.

This article first appeared in Intelligent Enterprise Asia