Analysis: Experts discuss security in a recession

Many companies still lack a cohesive approach to security

A recent benchmarking study by PricewaterhouseCoopers (PwC) suggests that much work still needs to be done to ensure that a combined IT and corporate security function is adequately prepared to protect businesses from 21st century threats.

The consultancy firm approached 10 of its FTSE 100 clients to carry out the study, finding that many lacked a joined up approach to security which led to silos in IT security, as well as other areas like anti-terrorism and intellectual property infringement, without any cohesion.

The exercise resulted in six key findings, including the need for greater collaboration between departments, and better understanding of the risks from third parties as more and more services are moved offshore.

"The ability to restore business processes in a timely fashion could have been improved across the board, especially when you see how many third parties are going to the wall," said Steve Wright, security and business continuity management leader at PwC. "We found that they didn't seem to do enough risk analysis."

The study also found that firms need to improve their people security initiatives, as only 50 per cent demonstrated significant amounts of employee vetting.

"In an age when the pressure on the family unit to maintain a roof over their heads becomes immense, more employees could be suspected of doing something illegal," said Wright. "It is extremely hard to iron out but, if you're not doing the vetting in the first place, it really will leave you wide open."

Jay Abbott, a senior manager in PwC's technology assurance practice, who carries out penetration testing and ethical hacking work, agreed that "the insider threat has, and will continue to be, the biggest area of risk", but argued that physical security also needs to be improved.

"There are easier ways these days to get data out of an organisation than hacking, and the techniques are all known about by organised crime," he added.

The benchmarking study also looked at the main areas of responsibility for a combined corporate security and IT security function in the 21st century. These included a good understanding of information assets, thorough risk assessment methodologies, business continuity preparedness, and rigorous incident management processes.