Information Security Survey in Czech Republic 2003
|
|
Information security is no longer an “unexplored area”. We have an extensive range of technical studies dealing with the analysis of this area using formalized scientific methods. Information security is taught at universities, and a large number of standards, certificates or “best practice“ examples exist. Regular conferences devoted to individual aspects of information security are organised both in our country and worldwide, and international associations of security professionals are being established with well-developed educational systems.
Compared to the historical approach to information security only taking into account the technological aspects, we have now come to a complex understanding with an important role being played by the people working with information and technology and processes designed for the secure and effective management and operation of information systems. We already understand, in theory and in practice that information security is not and should not be solely the responsibility of IT personnel, but should be addressed by management in particular. Without their understanding and support, any solution will be incomplete and ineffective.
In connection with information security, such topics as “IT-” or even “Corporate Governance“ start to be discussed, not only on a theoretical level.
The above is theory. However, how much does theory apply in everyday life? Where are the weaknesses? Which industries are the “pioneers“ in the area of applying the theoretical knowledge in the actual operation of information systems? If we look back, are we better off or worse off than two or four years ago? Czech Information Security Survey 2003 sets out to answer the above questions. The third year of research brings a unique opportunity to abandon an analysis of absolute figures and consider implied trends, which appear more than surprising in certain areas. The aim of the research was to offer an opportunity for the comparison and understanding of past developments and the consideration of possible future options. The partners who initiated the research in 2003 were as follows:
Ernst & Young, DSM (Data Security Management) magazine and the National Security Authority.
THE MAIN FINDINGS
- The Internet and e-mail are the biggest threats to information security. Since 1999, the number of employees with Internet access has increased from 17 % to 47 %. On the other hand, the number of organisations that have encountered an incident in the form of a virus downloaded with a file from the Internet has grown by more than 70 %.
- There has been a significant move towards Internet and e-mail security over the last 4 years: the number of organisations protected by a firewall increased by 34 %, those with antivirus security by 50 % and those with internal guidelines regulating the use of the Internet by 22 %.
- With the exception of the Internet, certain stagnation in the development of security solutions may be traced as compared to previous years.
- Generally low security awareness is still the biggest obstacle to a faster enforcement of information security in the Czech Republic. Compared to the situation two years ago, the financing of solutions has become a burning issue, while the problem of insufficient support from top management much less of an issue.
- Within the last two years, a total of 49 % of organisations suffered a security incident with a direct financial impact exceeding CZK 800,000 on average.
- Among the incidents most often encountered by the organisations are: power failure, computer viruses, hardware disruption, user errors and program errors. For 14 % of the organisations, a natural disaster, most probably the 2002 flooding, represented the most significant incident within the last two years with a direct impact exceeding CZK 3 million on average.
- Since 1999, the number of organisations with a defined security policy approved by top management has increased by 11 %.
- 51 % of organisations currently use digital signature or intend to use it within one year. The aim of most organisations is communication with known and defined business partners and customers.
- Since 2001, the number of organisations with a separate budget for information security has not changed. As compared to 2001 however, the size of the security budget compared to the total IS/IT budget has dropped from 10 % to 8 %.
- In 2001, the proportion of companies solving information security exclusively through internal sources and companies using external firms was even. The current ratio is 3:2 in the benefit of companies co-operating with external firms.
- 13 % of organisations employ a professional whose main responsibility is information security. The average monthly remuneration of 80 % of these professionals is less than CZK 40,000.
- Banks and financial organisations in the Czech Republic have a clear leading position in the achieved level of information security solutions.
„Sources: PSIB'03, Ernst & Young, DSM - data security management, NBÚ“
© Ernst & Young, DSM - data security management, NBÚ, 2003