Information Security Survey in Slovak Republic 2004
|
|
We are pleased to present the results of the premier complex information security survey in the Slovak Republic for the year 2004. Our brief comments to parts and issues of survey should not substitute comprehensive analyses of survey results. The comments should be seen as a primary interpretation of results, providing a first impression comparing expectations with reality – experience shows that generally first impressions are reasonably accurate. Later on, information security can be looked upon from various points of view. We can look for causes and most importantly we can formulate conclusions which will push information security closer to the ideal state. The sooner and more consistently this is done, we will more and more appreciate this first step laying sound foundations for the creation of an information society. Also of great importance at this time is the fact that all further activities in information security will be based on the real representative survey and not just on presumptions and individual views. It is important to continue the survey in future years. The findings of these future surveys will correct results of the current one and will bring to light the changes, trends and desirable ways of moving forward.
Despite a significant degree of uncertainty in the survey conclusions, which logically results from having an insufficient sample, one conclusion is absolutely definite. Information technologies and information technology security are two individual areas, although partially related. This is the result of the historical evolution and it is interesting that even significant losses, not only financial, could not radically change conditions in respect of the integration of these two areas. Finally, the number of security incidents convinces us about this fact every day. Potential opponents of this inference could be referred to an analysis of the relevant legislation, which does not recognize any qualified institution for imposing sanctions in better case of malice and in the worst case scenario of crime in information security.
The results that are now presented are valuable, because of their comparability to the results of the similar and ongoing survey in the Czech Republic. Our thanks go also to the international team, which initiated this survey:
DSM – Data Security Management magazine, KPMG and the National Security Authority.
THE MAIN FINDINGS
- Total of 93 % of organisations stated that information security is important or even very important for them concerning their primary goals. But only 60 % of organisations are convinced they pay sufficient attention to information security.
- 15 % of organisations employ a professional whose main responsibility is information security. The average monthly remuneration of 80 % of these professionals is less than SKK 40,000. Among the most appreciated skills and knowledge are understanding of the information security issue and even technological IS/IT knowledge.
- In more than half of organisations is IS/IT department responsible for security. Only in 5 % of organisations the security department is the one responsible for security.
- Total of 58 % organisations have security policy defined and approved by top management. 80 % of organisations with more than 1000 employees have security policy.
- Among incidents most often encountered by organisations are: power failure, computer viruses and hardware malfunction. Average direct financial loss of most significant incident was SKK 120,000.
- The Internet and e-mail are considered to be the biggest threats to information security by more than two thirds of organisations.
- Email attachment viruses or viruses coming from downloaded files were the most frequent Internet related incidents. Virus scanning (antivirus software) and firewall are two dominant elements of Internet security solutions – they are used by almost three quarters of organisations in Slovakia.
- Total of 46 % organisations have disaster recovery plans for IS. But only 16 % periodically update and test these plans.
- 73 % of organisations performed IS risk analysis in last two years. 20 % of organisations have never performed risk analysis.
- 61 % of organisations co-operate with external firms in information security solving.
- A separate dedicated budget for information security has 16 % of organisations. An average size of this budget is 10 % of the overall IS/IT budget within the organisation.
- Electronic signature is currently used by 18 % of organisations and other 14 % of them intend to use it within one year. More than 3/4 of organizations use electronic signature or intend to use it for communication with known and defined business partners and customers.
- Two thirds of the survey respondents are persuaded that information security level is worse or even significantly worse in Slovakia than in advanced western European countries.
- Two biggest barriers for faster information security implementation in Slovakia are low security awareness (39 %) and the financial cost (18 %).
- Banks, insurance companies and other financial organisations have a clear leading position in the achieved level of information security solutions.
"Sources: PSIB SR '04, KPMG Slovensko, DSM – data security management, NBÚ SR"
2005 © KPMG Slovensko, DSM – data security management, NBÚ SR