TMT Vertical Spending On Security Declines With Crisis: Deloitte

Companies in the technology, media and telecommunications industries (TMT) significantly reduced investment in security spending in 2008, according to a new survey from Deloitte Touche Tohmatsu. The third edition of the Deloitte TMT Global Security Survey reveals that 32 percent of respondents reduced their information security budgets, while 60 percent of respondents believe they are ‘falling behind’ or still ‘catching up’ to their security threats, a significant increase from 49 percent over the previous year.

“This year’s results indicate companies are explicitly scaling back. With funding decreasing and threats increasing, it is more important than ever for TMT companies to be highly cost efficient in addressing their security risks,” said Irfan Saif, a principal in Deloitte and Touche LLP’s Audit and Enterprise Risk Services practice. “Companies that do not have a sound understanding of their security risk profile, or who under-invest in security now, may find themselves exposed to significant and increasingly sophisticated threats that they are not equipped to mitigate.”

With the proliferation of digitised assets, security should claim a significant portion of a company’s overall IT budget. However, only 6 percent of respondents allocate 7 percent or more of their total budget to IT security. This year represents a significant decline from the previous edition of the survey, which showed that 36 percent of the respondents allocated 7 percent or more of their budget to IT security.

The survey also indicates that declining security investment is hindering adoption of new security technologies, with only 53 percent of respondents considering their organisations to be early adopters, or part of the early majority, down from 67 percent in 2007. Companies are focusing more effort on optimising solutions that are already in place rather than investing in cutting-edge technology that can be capitalised upon during economic recovery.

Social Networking Adds to the List of Insider Threats

While social networks and blogs can be powerful enablers, they also increase organisations’ internal security challenges. In today’s connected world, insider threats are greater than ever. Survey results show that ‘exploitation of vulnerabilities in Web 2.0 technologies’ and ‘social engineering’ techniques such as pretexting and phishing are regarded as threats to a company’s information security, by 83 percent and 80 percent of respondents, respectively.

Furthermore, generational differences have a major influence on perceptions of privacy. Information sharing for the youngest generation of TMT workers can test the limits of traditional privacy laws. In contrast, older generations have a different perspective on privacy. Survey respondents recognise this issue, with 56 percent rating ‘cultural interpretations’ as an ‘average’ to ‘very high’ threat to their information security.

The survey also notes that, with new vulnerabilities constantly emerging, TMT companies are less confident in their ability to deal with internal security risks. This year, only 28 percent of respondents rate themselves as ‘very confident’ or ‘extremely confident’ with regard to internal threats, down from 51 percent in 2007. Forty-one percent of respondents experienced at least one internal security breach in the past 12 months.

Additionally, companies do not have the necessary resources in place to cope with emerging network vulnerabilities. Only 47 percent of those surveyed currently have a privacy programme in place, and only 44 percent have an executive responsible for privacy – the latter down from 50 percent a year earlier. This aligns with the fact that many TMT companies do not have a programme for managing privacy compliance (33 percent), a written privacy policy (28 percent) nor a formal directive with respect to the destruction of personal information (28 percent).

“Information and intellectual property are the lifeblood of a TMT company,” said Saif. “Taking calculated measures to protect these precious assets, especially in the current environment, may encourage more openness and collaboration rather than hinder it. It is critical for TMT companies to be proactive in this regard.”

Regulatory Issues Are Moving to the Forefront

TMT companies face a myriad of rules and regulations that relate to information security and strict compliance is critical, particularly in a tough economy. Failure to comply can expose a company to hefty fines and significant liability. However, compliance with rules and regulations may not be sufficient for TMT companies to mitigate their information security risks. More than 67 percent of respondents say that regulatory security requirements are at best ‘somewhat effective’ for improving their information security posture. A majority (57 percent) of respondents believe that senior executive support for effectively meeting regulatory requirements is either missing or inadequately funded.