High-profile data-loss stories have made Irish firms more aware of protection policies, writes KARLIN LILLINGTON
NUMEROUS data-loss cases in headlines over the past two years have made Irish companies far more aware of privacy and data security policies and protections within their own companies, compared to their international colleagues.
But a lower level of Irish company concern about the potential actions of disgruntled employees and a move towards greater off- shoring of data processing and the transfer of data to third-party management may not bode well at a time of corporate downsizing and the introduction of Nama.
In Ernst Young’s year-end information-security survey of 1,800 worldwide organisations, more Irish than global executives see managing privacy as a key issue. About 69 per cent of Irish managers, but only half of global managers, ranked this as their top security concern in the coming year.
Ireland is a perfect example of how negative publicity can galvanise a change in attitudes towards security, says Mike Harris, director of advisory services in the financial services section of Ernst Young Ireland. He notes that, in 2008, information privacy and data theft was a far lower concern to Irish businesses, with only 39 per cent in Ireland noting it was a priority, compared to 49 per cent of executives surveyed globally.
But then came a year of constant publicity about data loss at well-known companies due to accounts being hacked, laptops and other devices lost, stolen, or misplaced, and other misfortunes.
“Nobody wants to have their organisation in the paper and no board member or CEO wants a microphone in their face,” says Pat Moran, advisory services partner at Ernst Young Ireland.
As a result, while many international organisations are struggling with concepts like encryption, the Irish are actually very good at it, says Harris.
In addition, 96 per cent of Irish companies said they had a clear understanding of privacy laws and regulations compared to only 73 per cent of international companies.
“Organisations are also currently going through huge change programmes to drive down cost,” Moran says. “So there’s a question about how do we protect security risks while going through this change?”
One interesting finding in the survey is that, even though people are cutting costs, their budgets internationally and in Ireland on average, remain fairly static for spending on information security. “Security is still an area that needs to be complied with,” says Moran.
However, Ireland is out of step with international trends. Globally, more companies are increasing their security spend, with 40 per cent of global companies saying they were increasing their security budgets in the next 12 months. Only 19 per cent of Irish companies are doing likewise. By contrast, in the 2008 survey, 60 per cent of Irish companies said they were increasing their security spend compared to 50 per cent globally.
Moran says this may reflect harsher financial conditions and greater budget restrictions for Irish companies over the past year.
A continuing trend towards saving costs through offshoring – moving data or activities over to a third party in another country, or third-party management at home – may introduce risks that Irish companies in particular are not recognising.
Ireland outsources more security-related activities than global companies according to the survey with 62 per cent outsourcing security assessments and audits compared to 44 per cent of global companies, for example. Some 52 per cent of Irish companies outsource their firewall management – where it may be more difficult to spot problems when they start to happen – compared to about 30 per cent internationally.
The fact that the financial services industry is traditionally one of the slowest to adopt new security technologies and processes – ironically, because the sensitivity of the information it manages means it acts very slowly to introduce any possible additional risk – must be of concern as Irish institutions prepared to transfer huge amounts of sensitive data over to Nama, Moran says.
“That will present quite a lot of challenges around information security risks,” he says. “There’s quite a lot of information on property developers and loan information being transferred from the banks to Nama, and the data security around that is going to be very important.”
He also notes that the EU is getting more aggressive about how organisations manage their business. For example, there is a move to require sell-offs of some company divisions. Such activities will present additional security risks.
“It’s forcing organisations to restructure, and presents security risks they wouldn’t otherwise have,” he says.
One issue is that many if not most companies do not have an inventory of the information they hold, which makes it very difficult to design adequate security policies.
Another issue raised by this survey is employee risk. At a time of mergers and downsizing, there are plenty of opportunities for disgruntled ex-employees to cause problems.
However, Irish companies are either more confident about their employee relations, or less aware of the issue. “The rest of the world sees internal threats rising, but less so, interestingly, in Ireland. Maybe there’s a bit of naivety in Ireland,” says Harris.
Security agendas: for Irish and international companies
ORGANISATIONS WERE asked by Ernst Young to select from a list what their top three security priorities would be in the coming year. Their responses were as follows:
- Percentage which said implementing or improving data leakage prevention technologies and processes:
– Ireland 53.8%
– worldwide 18.8%
- Percentage which said improving information security risk management:
– Ireland 23%
– worldwide 17.2%
- Percentage which said regulatory compliance:
– Ireland 11.5%
– worldwide 6.9%
