Singapore, 30 October 2008 - Asian companies have made dramatic gains in upgrading their information security efforts, according to the 6th annual Global State of Information Security Survey® 2008. The study - the largest of its kind - was conducted by PricewaterhouseCoopers (PwC) in conjunction with CIO and CSO magazines. The study polled more than 7,000 information technology executives from 119 countries across all industries on the challenges of protecting corporate information assets.
Boosted primarily by the widespread progress made by Indian companies, Asian companies are now on par, and a number surpass, North American companies in establishing leading practices in security, the study found. “What is clear from this year’s survey is that Singapore companies have made significant efforts to improve their security measures,” said Tan Shong Ye, Advisory Partner and head of Singapore’s Security & Technology practice in PwC.
Increasingly, companies are viewing security from a strategic and management perspective, to an extent that well exceeds global averages. Eighty percent (80%) of respondents from Singapore were reported to have an overall information security strategy in place (versus the global average of 67% and Asia average of 64%), as compared to 63% in 2007.
The survey also reveals that Singapore has made significant strides in the deployment of security technology. Seventy-nine percent (79%) of respondents from Singapore were reported to have installed application firewalls (versus the global average of 67%), and sixty-six percent (66%) said they have deployed web service security measures (versus the global average of 58%). When looking at security from a strategic and management perspective, seventy-four percent (74%) were reported to have established standards and procedures for technology infrastructure deployment, well above the global average of 51%., Sixty-four percent (64%) were reported to have put in place comprehensive business continuity or disaster recovery plans (ahead of the global average of 55%). “To further maximise the value of their security technologies already deployed, Singapore companies should implement a cohesive security strategy, supported by the right people and utilise effective management processes,” Mr Tan added.
This year, respondents from across numerous industries and sectors, countries and regions, business models and company sizes, reported double-digit growth in implementing new security technologies. Overall, 74% of respondents reported that information security spending will either increase or stay the same over the next 12 months, with Singapore respondents sharing similar sentiments (71%). One of the top priorities for Singapore respondents over the next 12 months is implementing a data loss prevention (DLP) capability (88% versus the global average of 40% and Asia average of 58%),
However, although organisations continue to invest heavily in security technologies such as software for DLP, intrusion detection, encryption and identity management, they are still struggling with aligning the right elements. “There appears to be misalignment between the security processes, people awareness and education measures and the implementation of security technologies. As a result, many companies fail to extract the full value of their security investment,” Mr Tan elaborates.
According to the study, more organisations than ever are encrypting databases (55%), laptops (50%), backup tapes (47%) and other media to safeguard data in particular customer information and intellectual property. Fifty-nine percent (59%) of respondents said they have implemented intrusion detection software (62% compared to 52% in 2007), firewalls to protect individual applications (67% compared to 62% in 2007) and put in place disposal procedures for outdated computer hardware (67% compared to 58% in 2007). “However, the flip side is that the majority of security expenditure still comes from the IT group (57%), followed by the corporate security department and then other functional areas such as marketing, human resources and legal. This indicates that comparatively more attention is given to security technologies, while the importance of organisational-wide corporate security processes and people awareness measures tend to be ignored,” concludes Mr Tan.
Notwithstanding the rapidly evolving maturity of organisation’s security capabilities, the report revealed a surprisingly high percentage of respondents to the “don’t know what they don’t know” question. Many respondents were unable to answer basic questions concerning the risks to their company’s key information assets. Thirty-five percent (35%) of respondents were not sure how many security incidents their organisations have had in the past 12 months.
In China as compared to Asia overall, a much higher number was reported when respondents were asked about the number and types of security incidents and estimated total financial losses as a result of security incidents in the past 12 months. On average, 285 incidents were reported by each respondent in China versus 28 global average and 45 in Asia. As a result of these security incidents, China respondents reported that approximately US$980,000 of total estimated financial losses were incurred versus US$750,000 in Asia and US$308,000 in India. In contrast, Singapore companies fared much better. On average only 2.5 incidents were reported by each respondent in Singapore and US$29,000 was the average estimated financial losses reported. This shows that Singapore companies are indeed reaping returns from their investment in security (average US$3.3 million which is higher than the Asian average of US$1.3 million).
Furthermore, 42% of respondents in China reported that their applications, systems and networks were exploited versus only 17%, 15% and 20% of global average respondents elsewhere reporting those types of security incidents respectively. In contrast, only 18% of Singapore respondents reported security incidents related to their applications, 8% of respondents had incidents related to their systems and 16% encountered incidents concerning their networks.
In terms of assessment and compliance processes, Singapore companies demonstrated a significantly higher degree of vigilance as compared to the global respondents. Sixty-four percent (64%) of respondents (versus global average 54%) actively monitor/analyse information security intelligence, 58% (versus global average 44%) perform compliance testing and 69% (versus global average 52%) conduct security audits.
“In this technology-driven and reliant environment, companies need to insist on a risk-based, integrated and proactive approach to safeguard their information assets. What is clear from the findings of our survey, is that information security and data management is not solely a matter of having an Information Security governance framework and supporting technology, but requires three key elements, people, process and technology, to be working in combination across the entire organisation,” said Keith Stephenson, Asia Pacific Performance Improvement Leader of PwC.
To learn more about the survey, including industry specific highlights and further regional information, please visit www.pwc.com/giss2008 .
1. Survey methodology
The Global State of Information Security 2008, a worldwide security survey by PricewaterhouseCoopers, CIO and CSO magazines, was conducted online from March 25 to June 26, 2008. Readers of CIO and CSO magazines and clients of PricewaterhouseCoopers from around the globe were invited via email to take the survey. The results discussed in this report are based on the responses of more than 7,000 CEOs, CFOs, CIOs, CSOs, vice presidents and directors of IT and information security from 119 countries. The margin of error is ±1%.
2. About PricewaterhouseCoopers – Globally
PricewaterhouseCoopers provides industry-focused assurance, tax and advisory services to build public trust and enhance value for its clients and their stakeholders. More than 145,000 people in 153 countries across our network share their thinking, experience and solutions to develop fresh perspectives and practical advice.
“PricewaterhouseCoopers” refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.
3. About PricewaterhouseCoopers - China, Hong Kong and Singapore
PricewaterhouseCoopers China, Hong Kong and Singapore operate on a combined basis, subject to local applicable laws. Taken together, we have more than 460 partners and a strength of 12,000 people.
The firm provides a wide range of services to help organisations solve business issues, identify and maximise opportunities. Our industry specialisation enables us to identify trends and customise solutions for your sector of interest. Each line of service is staffed with highly qualified, experienced professionals and leaders in our profession. These resources, combined with our global network, allow us to provide the support you need wherever you may be located.
We are located in these cities: Beijing, Hong Kong, Shanghai, Singapore, Chongqing, Dalian, Guangzhou, Macau, Qingdao, Shenzhen, Suzhou, Tianjin and Xi’an.
Chia Sher Ling
Manager, Marketing & Communications
Direct Tel: +65 6236-3961
Consultant, Marketing & Communications
Direct Tel: +65 6236-7257