Deloitte security report throws up some surprises
Posted: 31 July 2008
"Deloitte’s 2008 survey of information security practices across the energy and resources (E&R) sector globally provides key pointers for organisations seeking to ensure their information security does not constitute a source of either strategic or operational weakness," said Adel Melek, Deloitte Global head of Security & Privacy Services, in Sydney last week.
Two-thirds (67 per cent) of the E&R organisations surveyed cited human error as the most significant root cause of security failure, ahead of either technology or operations.
Yet almost one third (29 per cent) of those surveyed did not provide employees with any training on information security or how to identify suspicious activities.
"For a sector so well versed in training its people this is a surprising omission," said Mr Melek.
"Particularly as the need for security to remain a high priority is clear from the level of incident.
More than half the survey respondents (53 per cent) had suffered an email attack in the last twelve months, with 44 per cent experiencing repeated attacks.
"Participation in the survey was heavily skewed towards the energy rather than resource end of the sector," said Tommy Viljoen , Head of Deloitte’s Security & Privacy practice in Australia.
"What is surprising however is that little more than half (55 per cent) of global survey respondents had a formal business continuity plan (BCP) in place.
"Moreover while 81 per cent had some form of crisis management plan in place, only 27 per cent had nominated crisis management teams or regularly tested their crisis management plans.
"We all know that practice makes perfect. The best-looking document in the world can contain significant holes which only become apparent through the crucible of testing," said Mr Viljoen.
"Of course, having an online retail customer interface has been a secondary reason for utilities to be information security conscious. Globally the trend in information security attacks has been away from attacks on infrastructure to what has been perceived as a weaker link - web application security," Melek said.
"We have moved well beyond political or ideological inspired hacking so following the money is important. But it is for this reason that resource companies should not be complacent about information security."
"Money scams are not the only source of value to be derived from criminal activity targeting organisations."
"Globally we are seeing a growing level of highly sophisticated attacks from a surveillance and intelligence perspective. Mining is currently the hottest sector on the planet.
"Organisations need to give thought to how much damage they would sustain if their strategic business plans - their plans for consolidation for example - were to be accessed via competitive or hostile sources through information security failure.
"Organisations need to establish the real sources of information security threat, which may not be immediate financial gain, but tactical and strategic advantage. With a better understanding of the sources of threat, organisations can begin to focus their information security response appropriately," said Melek.
Posted by Richard Price, Editor EnergyME.com
Information supplied by companies or PR agencies who are responsible for content. Send press releases to richard@energyme.com |
