The survey, which polled 1,233 organisations, representing some of the leading companies in 51 countries, found that although company leaders are increasingly aware of the risks posed to their information security by people within their organisations, they are not acting on this knowledge.
Over 70% of respondents failed to list training and raising employee awareness of information security issues as a top initiative, said Ernst & Young. This is despite concerns over employee misconduct with regard to information systems being the second highest threat perceived by respondents.
Top of the threat list was concern over an attack by computer virus, worm or Trojan horse, with 77% of respondents giving this a high threat rating.
As organisations move toward increasingly decentralised business models through outsourcing and other external partnerships, it becomes ever more difficult for them to retain control over the security of their information and for senior management to comprehend the level of risk to which they are exposed, warned the professional services firm.
"Companies can outsource their work, but they can't outsource responsibility for its security," Edwin Bennett, Global Director of Ernst & Young's Technology and Security Risk Services, said. "Fewer than one-third of those companies conduct a regular assessment of their IT providers to monitor compliance with information security policies – they are simply relying on trust. Organisations have to demand higher levels of security from their business partners."
The Ernst & Young survey indicates that organisations remain focused on external threats such as viruses, while internal threats are consistently under-emphasised. Companies will readily commit to technology purchases such as firewalls and virus protection, but are hesitant to assign priority to human capital.
"While the public's attention remains focused upon the external threats," said Bennett, "companies face far greater damage from insiders' misconduct, omissions, oversights, or an organisational culture that violates existing standards."
Companies should place more emphasis on creating a security-conscious culture that includes setting the right "tone at the top." This is vital to changing the way organisations approach information security, Bennett believes.
"Companies can transform their view of information security, and approach it as a way to gain competitive advantage and preserve shareholder value, rather than merely consider it a necessary cost of doing business," he said.
"However, this transformation must be led by a visible shift in attitude from the CEO and the board. At present, only 20% of organisations view information security as a CEO-level priority. More could and should be done to transform the skills and awareness of their people, who often present the greatest opportunity for vulnerabilities – and convert them into its strongest layer of defence."