The 2007 Technology, Media and Telecommunications (TMT) Survey, conducted by international consulting firm Deloitte Touche Tohmatsu, indicates that 46% of the more than 100 organizations surveyed have no formal information security strategy. Despite this, 69% of organizations surveyed say they are "very confident" or "extremely confident" about dealing with security issues.
Respondents included companies in the media, technology, and telecommunications sectors. Almost half reported having between 5,000 to 50,000 employees and almost half reported revenue ranging from $1 billion to $10 billion.
In a statement, Rena Mears, global and U.S. privacy and data protection leader with Deloitte, said that the organizations responding to the survey are in a reactive mode and that effective information security requires a strategy.
The surveyed companies, as the report characterized it, are keeping their heads above water: Most said they had avoided a major security crisis in 2007. But there's a sense of worry about the future. Some 49% said they're falling behind on security threats and only 7% believed their security situation was improving.
That lack of confidence appears to be the result of lack of spending, lack of talent, and lack of management support. Only 5% of the companies surveyed said they had increased security investments by 15% or more. Only 38% of the companies surveyed said they had people with the skills to respond to security challenges. And only 62% of companies surveyed said their top executives saw security as an imperative.
"That might not sound too bad, but the truth is security should be a top strategic priority for every TMT company -- which means that percentage [62%] should really be much higher," the report said.
The report notes that overconfidence about security diminishes when it comes to threats from within the organization. In contrast to the 69% who expressed confidence in their organization's external security, only 56% said as much when asked about managing internal risks.
The report said that security threats from within an organization are at least as great as those from without. But internal risks go beyond deliberate fraud and misconduct; they include human error, which the report cites as the source of 75% of security failures.
The report recommends training to raise awareness and to mitigate potential mistakes. But it also notes that 42% of the organizations surveyed said they had not provided any sort of security training during the past year.