Businesses to increase IT security budgets

Published 22 October 2008

Ernst & Young finds that at least 50 percent of companies are set to increase their IT budgets, the current financial difficulties notwithstanding

Despite tightening economies worldwide, 50 percent of companies surveyed are set to increase their information security budgets, Ernst & Young reports. “A single security incident can destroy years of brand and reputation building,” said Kent Kaufield, Ernst & Young’s National Technology Security Risk Services leader in Canada. “Organizations now recognize security setbacks can adversely affect stakeholder perceptions. Regulatory compliance once drove information security improvements. Today, however, organizations are strongly motivated by a need to protect their brand and their reputation against potentially devastating media coverage of security breaches.”

Ernst & Young’s 2008 Global Information Security Survey found most survey respondents believe a security incident would have a greater impact on reputation and brand than on revenues. Eighty-five percent cited damage to reputation and brand as significant, compared with 72% for loss of revenues. Only 68 percent cited regulatory sanction. “It’s crucial for organizations to spend their information security budgets wisely. It’s not enough to simply fund technical solutions such as encryption. Businesses need to develop training and awareness programs, and adopt more sophisticated testing techniques,” Kaufield said.

The survey canvassed nearly 1,400 senior executives in more than fifty countries. Only 5 percent of those surveyed plan to decrease their current information security budgets. Other key findings include the following:

  • International information security standards are gaining greater acceptance and adoption.
  •  Many organizations still struggle to achieve a strategic view of information security.
  • Privacy is now a priority, but actions are falling short.
  • People remain the weakest link for information security.
  • Growing third-party risks are not being addressed.
  • Business continuity is still bound to information technology.
  • Most organizations are unwilling to outsource key information security activities.
  • Few companies hedge information security risks with cyber insurance.