Consumer Business organizations should refocus security efforts to better respond to threats: Deloitte study

New York, Many consumer business organizations are not focusing on the right areas to best respond to threats, according to the inaugural Deloitte Touche Tohmatsu (DTT) 2009 global Consumer Business security study, “Security can’t be discounted”, released today. Infrastructure, security governance, insider threats, and budgets are among the areas that need to be re-examined in light of the current information security threat environment, the study reveals.

The DTT Consumer Business study is based on discussions with information technology executives and information officers of global consumer business organizations, and includes perspectives and commentary from Deloitte member firm subject matter experts.

“Consumer business organizations are the ‘front lines’ when it comes to customer information because of the amount of personal and financial data with which they are entrusted,” says Adel Melek, DTT Global Security, Privacy & Resiliency Leader. “Our study found that the industry needs to re-focus its information security efforts to best respond to increasingly sophisticated and innovative threats.”

The DTT study reveals that, in many areas, consumer business organizations are simply not focusing on the right areas to best respond to the threats that face them:

* Many organizations still consider information security primarily a technology infrastructure issue. Fifty one percent of respondents identify their top security initiative for 2009 as security infrastructure improvement.
* Respondents are placing a less prominent focus on security governance – 53 percent of organizations are operating without an approved security governance structure, despite the fact that security governance helps to ensure that proper security controls are in place.
* Managing insider threats receives a low ranking among top security initiatives for 2009 – only 10 percent of organizations interviewed identify it as their top priority, despite respondents acknowledging that people, including third parties, are their organizations’ weakest link.

Additional findings include:

* Business continuity and disaster recovery have been neglected in the past but are getting more attention. Only 9 percent of responding organizations have an enterprise-wide business continuity plan that has been documented and approved for all critical functions. But this is not a state that respondents are satisfied with, since disaster recovery is the second most-mentioned security initiative for 2009.
* Consumer business organizations have a “last one to adopt” approach when it comes to security technology. When asked which category best describes their organization’s adoption of security technology, 52 percent of respondents state that they are “late majority”, meaning that they are content to use technology that is “proven”. However, old hardware and out-of-date technology may put customer data at risk.

Methodology

The 2009 Consumer Business global security study reports on the outcome of focused discussions between Deloitte member firm Security, Privacy & Resiliency Services professionals and information technology executives of top global consumer business organizations. Discussions with representatives of these organizations were designed to identify, record, and present the state of the practice of information security in the consumer business industry with a particular emphasis on identifying levels of perceived risks, the types of risks with which consumer business organizations are concerned, and the resources being used to mitigate these risks. To fulfill this objective, senior members of Deloitte Touche Tohmatsu’s Security, Privacy & Resiliency Group designed a questionnaire that probed various aspects of strategic and operational areas of security and privacy. Responses of participants were subsequently analyzed and consolidated and are presented in both qualitative and quantitative formats.
About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms.

Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than140 countries, Deloitte brings world-class capabilities and deep local expertise to help clients succeed wherever they operate. Deloitte’s approximately 169,000 professionals are committed to becoming the standard of excellence.