information assurance market research june 2009. executive summary small response rate (n=43)...
TRANSCRIPT
Executive Summary• Small response rate (n=43)• General low awareness of information security controls
and legislation• 42% of organisations surveyed currently have an
information security policy in place• Only 6% of those who don’t currently have a policy, have
plans to introduce one• Training in information security viewed with average, or
increasing importance amongst respondents• 12% currently interested in training or support with
information risk management, 23% would potentially be interested in the future.
• Low awareness of potential funding available
Survey Sample• E-survey sent to following distribution lists:
– Business School contact list (n~ 270)– Midlands Excellence contact list (n~ 300)– BDO contact list (n~ 20)
• 43 Responses received
• Response rate estimated at 9%
Demographics• Size of organisation
– Micro (<11 employees)- 35%– Small (11- 49 employees)- 19%– Medium (50- 249 employees)- 19%– Large (250+ employees)- 26%
• Over 50% of respondents had ultimate or shared responsibility for information security compliance within their organisation
Industry Sector (n=43)
16%
21%
5%2%
16%
5%2%
7%9%
2%5% 5%
0%
5%
10%
15%
20%
25%
Pu
blic
Se
cto
r
Ch
ari
tab
le/
no
t-fo
r-p
rofit
Org
an
isa
tion
Fin
an
cia
lS
erv
ice
s
Ed
uca
tion
Ma
nu
fact
ori
ng
Ba
nki
ng
&F
ina
nce
Co
nst
ruct
ion
& P
rop
ert
y
Su
pp
ort
Se
rvic
es
Te
chn
olo
gy
Tra
inin
g
Ma
rke
ting
Ma
na
ge
me
nt
Co
nsu
ltan
cy
Industry sector
Pe
rce
nta
ge
of
res
po
nd
en
ts
Are you aware of the BS7799 quality standard? (n= 43)
A set of information security controls for an organisation's processes derived by the British Standards Institute
23%
37%
16% Yes
No
I have a limitedawareness of it
Are you aware of the ISO27001 quality standard? (n= 43)
Internationalisation of the British standard on information security
16%
44%
19%Yes
No
I have a limitedawareness of it
Have any supply chain partners or potential partners asked you whether you are ISO27001 certified or working towards
certification? (n=43)
7%
58%
14%
Yes
No
I don't recall
Are you aware of the credit card companies PCI DSS (Payment Card Industry Data Security
Standard) regulations? (n=43)
28%
47%
Yes
No
Are you aware of the recent changes to the Data Protection Act in 2008, which make anything defined therein as "reckless handling" of data to be an offence for which imprisonment is a potential outcome?
(n=43)
33%
47%
Yes
No
42%26%
12%
Yes
No
I don't know
42% of respondents currently have an information security policy in place in their organisation (n=43)
Please tell us a little about the process you went through in implementing your information security policy and how you
put it into practice.• Reviewed best practice guidelines and adapted policy of a larger organisation to suit our operation
• Developed by head of knowledge management
• Discussed with Business Link and used their templates.
• We involved an IT Security Consultant and wrote the Information Security Policy based upon the guidelines in BS ISO/IEC: 17799. We also developed a shorter document that summarises the security policies and this is signed by all new members of staff using the IT systems.
• Via outside consultancy
• We reviewed guidance from National Government, Cabinet Office, the Information Commission and BS 7799 before creating an IT policy that contained statements covering each of these areas.
• Made people aware of how the internet, networks and PCs can be both tools and security threats. Provided examples of how companies and individuals suffered through lax security. Put in place safeguards against these threats: a single station and telephone line for internet use, unattached to any other computing equipment. refused to allow any unauthorised software or files from third parties to be loaded on to systems. Made these conditions part of the employment contract, with disciplinary sanctions for transgressors.
• Written taking best practice from 27001 and the wider IT sector plus personal experience.
How do you communicate your information security policy to your employees? (n= 18)
28%
14% 12%
5%9%
0%5%
10%15%20%25%30%
The policy isavailable in a
shared place foremployees to view
(e.g. intranet,shared network,
employeehandbook)
Training wasprovided on the
policy at the timeof implementation
Line managersactively promote
the policy
Regular trainingupdated areprovided oninformationassurance
Remedial actionis taken upon
those who breechthe policy
How do you detect breaches of the information security policy? (n=18)
16%
23%
7%
2%
0%
5%
10%
15%
20%
25%
Customer complaints Computer networkalerts
Contact from officialpublic authority
Contact from theInformation
Commissioner
Do you keep a record of security policy breaches? (n=18)
21%
9% 9%
0%
5%
10%
15%
20%
25%
Yes No I don't know
What action do you take when information security breaches are identified?
Responses included:
• Disciplinary action including dismissal • Have not identified any as yet• Investigate, review information and decide how
to ameliorate breach and prevent repetition through revisions to security processes
• Of the 26% (16) of respondents who currently didn’t have an information security policy in place in their organisation, only 6% (1) had any plans to introduce one in the future
6%
50%
25%
0%
10%
20%
30%
40%
50%
60%
Yes, at some point in thefuture
No I don't know
• When asked to consider who they would look to for assistance in implementing an information security policy, the most popular response was a specialist information security company (38%,6), closely followed by an internal IT Department (31%, 5). 6% (1) of respondents would consider a University for this.
• Respondents were only prepared to invest a very small proportion of their time in implementing such a policy (50% 1 day or less)
How important do you consider training in information risk management to be? (n=43)
9%
16%
21%
19%
0%
5%
10%
15%
20%
25%
Not very important Of average importance Increasingly important Extremely important
• 21% of respondents had participated in risk management training in the past. – In the majority of cases these were internal
courses. – External courses mentioned were BSI
Information Security Best Practice BS 7799 and as part of a Chartered Manager impact submission
• 42% of respondents had never participated in risk management training
Would you be interested in training concerning risk management? (n=43)
12%
28%
23%
0%
5%
10%
15%
20%
25%
30%
Yes No Probably in the future
In which of the following areas of information risk management might you be interested in external
support with? (n=19)
11%
26% 26% 26%
11%
0%
5%
10%
15%
20%
25%
30%
Policy writing andimplementation
Providing aframework for
compliance withthe principles of
ISO27001
Setting upcontrols for ease
of systematicrecording
Guidance andsupport withISO27001
certification
Bespokeconsultancy
service/ supportwith
implementation ofany of the above
What format of training would you prefer? (n=16)
6%
25%
13%
25%
31%
0%
5%
10%
15%
20%
25%
30%
35%
Classroom basedlearning
An in-companycourse
Distance learningcourse
Online course A combination ofthese methods
How much time would you be prepared to invest in information security training?
(n=12)
25% 25%
0%
50%
0%
10%
20%
30%
40%
50%
60%
1 day 2- 3 days 1 week Ongoing support overa longer period
Are you aware of any of the following funding opportunities which may make you eligible to receive financial assistance
towards training?
12%
9%
0%
2%
4%
6%
8%
10%
12%
14%
Director Development Programme Index Vouchers
Recommendations• Generally little awareness of, or interest in, information assurance matters
from respondents, therefore concerns regarding product viability in its current conception and would benefit by further research into specific market barriers and leverage points.
• The focus group will thus be ‘held in reserve’ for a suitable event with a relevant target audience with whom future products/packages could be ‘road tested’
• To progress product scoping, in-depth one-to-one research interviews with interested respondents could be utilised to:
– reveal insights as to potential recognition strategies towards increasing awareness
– help to ascertain why companies are not more concerned about information security issues
• Subject matter expert to identify niche SME market attributes, prior to future product development using specialist knowledge of companies most ‘at risk’ from information security issues. This phase could facilitate the development of a stronger business case behind product design.