KPMG Global Security Survey 2002:  A South African perspective

Frank Rizzo 
KPMG Information Risk Management
Tel (011) 647-7388
Fax (011) 647-6111
Cellular 083-251-4523 Email frank.rizzo@kpmg.co.za

The ultimate security is your understanding of reality

What is a true reflection of security in your organisation, in South Africa or even around the world? Do you know what is the weakest link preventing you from achieving an ultimate secure environment?

KPMG’s first Global information security survey provides some insight into these and other key concerns. We believe that this survey will make a major contribution to the global understanding of information security and our sponsors CheckPoint, RSA, Symantec and Secure Computing Magazine share this belief.

The three main objectives for the survey were to:

•  understand the burning security related issues in the global market;

•  monitor how effectively organisations are addressing well-known security risks; and

•  access the level of readiness within organisations to address security threats.

A total of 641 organisations covering all key business and government sectors in Europe, Middle East and Africa (EMEA), Asia/Pacific and the Americas, with a turnover greater than USD$50 up to USD$5 billion, participated in the survey.

The survey was carried out through extended telephonic interviews with senior managers responsible for information security. IT directors (38%), IT managers (14%) and heads of information security (14%) were the largest group of participants of the survey followed by chief information officers (CIO’s) and information security officers (ISO’s) (10%).

Our survey highlighted viruses (22%), hackers (21%), remote access controls (17%), Internet security (10%) and data privacy as the most critical security issues affecting global organisations. The cost of security incidents runs into millions USD, but the real cost lies in the loss of customer trust, business partners and opportunities that may never be reached.

The critical security issues for South Africa were closely related to the rest of the world. The two most critical security issues facing South African organisations are viruses (20%) and remote access controls (20%) followed by hackers (16%), theft or damage to data/information (8%) and education of users (6%).

Almost all organisations (96%) feel that they are taking reasonable steps to protect themselves. In reality 87% of the organisations that participated in the survey suffered some form of security breach this year.  The average direct loss of all breaches suffered by each organisation participating is USD$108,000! Virus incidents in South African companies resulted in an average loss of USD$54 000 per year and theft of equipment in an average loss of USD$16 000 per year.

Companies do not protect information as well as they think they do. One reason is that they do not measure or report on security performance or how much is spent on information security in the organisation. The survey indicated that 70% of South African companies spend 1-10 % of the IT budget on security and 15% spend 11-20%. Research has shown that it is much more cost effective to invest in security upfront, as a preventative measure, rather than to pick up the pieces and repair the damage after a security incident.

Any security project needs to have guidance to produce an elective security capability in the organisation. BS7799/ ISO 17799 provides such guidance as it provides an international standard for information security management. The survey found that only 13% of the companies in South Africa have implemented ISO 17799 and 15% are planning to. Twenty percent of the companies in EMEA have implemented ISO 17799, 18% in Asia and 15% in the Americas. It was found that more financial sector (FS) organisations have implemented ISO 17799 (FS 25%, others 16%) compared to the other sectors. They also have more intrusion detection systems (FS 25%, other 16%) and also measure the performance on security more (FS 42%, other 33%).  As a result, Financial Sectors have a lower level of security incidents in almost all areas than other sectors.

A lot of South African organisations are making use of outsourcing for their security. Thirty five percent outsource firewall administration, security design and development. Globally 33% of the organisations outsource firewall administration and 23% outsource security design and development.

Most organisations world wide (51%) and in South Africa (43%) have not yet thought about implementing PKI. In South Africa only 8% have a fully implemented a PKI solution and globally 10%. The focus seems to have remained on passwords as providing adequate security. This is one area where South Africa seems to be ahead of the rest of the world with 59% of the organisations forcing monthly password changes in contrast with the global figure of 44%.

In summery: Look for the weakest link. A company’s security is only as strong at its weakest link. Millions of dollars are lost each year when companies are not as well protected as they think. There are significant regional and market sector variances in security protection levels because few organisations measure and report on security incidents often resulting in immensurable losses to the organisation.

KPMG assists their clients in addressing their weakest link. We recommend an enterprise wide architectural approach to security addressing security leadership, the security program, security policies, security management, user management, information asset security and technology protection and continuity. Additionally we also have a range of information security and risk management services to help organisations protect themselves against security issues and breaches.

In order to implement an affective security capability, organisations need to identify their weakest link and understand how pervasive security really is in the market place.