The downturn in security investments and vulnerabilities in social networking are regarded as major threats to corporate information security, according to research from Deloitte Touche Tohmatsu.
A survey of more than 200 organizations globally indicates a significant drop in security investment, which is having a detrimental impact on overall security. In the 12 months leading up to this year's survey, the third edition of the Global Security Survey for the Technology, Media and Telecommunications Industry, 32 percent of respondents reduced information security budgets. Some 60 percent of all respondents believe they are “falling behind” or still “catching up” to security threats.
The downturn in spending could cause some companies to be unprepared for increasingly sophisticated attacks and emerging exploits.
“There is a minimum level of diligence required below which companies may be exposing themselves to critical risk,” according to the report. “Security is particularly vital in an era in which digital malevolence is more prevalent than ever.”
The report says that cutting spending now is a mistake, and that companies should not forget about their long-term goals.
“At some point, the global economy is going to bounce back,” the report's authors write. “Companies that underinvest in security now may find themselves vulnerable and unable to capitalize on the recovery.”
The report also shows that even though technologies such as social networking and blogs can be powerful enablers for an organization, they also increase the organization's internal security challenges.
“Used correctly, [social networking] can help a company challenge and sharpen its thinking,” the authors wrote. “But with so many companies and employees embracing new technologies and ways to communicate, new vulnerabilities are constantly emerging.”
Exploitation of vulnerabilities in Web 2.0 technologies and social engineering are regarded as a threat to a company's information security for more than 80 percent of the survey respondents. Employees unintentionally release sensitive information without realizing the consequences, according to the report. In other cases, employees may be using social networks for activities that reflect badly on the company.
“Either way, the company could ultimately be held responsible,” the authors write. “No wonder companies are feeling significantly less confident about their ability to deal with internal security risks.”
Only 28 percent of respondents rated themselves as “very confident” or “extremely confident” with regard to internal threats, which is down from 51 percent in 2008. Companies can protect sensitive data simply by limiting information access to only those employees who must have it. But according to the survey data, the number one security problem reported by security auditors is “excessive access rights.”
“The number one priority needs to be protecting the organization from itself,” according to the report.