More than 70 percent of the 1,233 organizations — representing some of the leading companies in 51 countries — failed to list training and raising employee awareness of information security issues as a top initiative.

As organizations move toward increasingly decentralized business models through outsourcing and other external partnerships, it becomes ever more difficult for them to retain control over the security of their information and for senior management to comprehend the level of risk to which they are exposed.

“Companies can outsource their work, but they can’t outsource responsibility for its security,” Edwin Bennett, Global Director of Ernst & Young’s Technology and Security Risk Services, said. “Fewer than one-third of those companies conduct a regular assessment of their IT providers to monitor compliance with information security policies — they are simply relying on trust. Organizations have to demand higher levels of security from their business partners.”

The Ernst & Young survey indicates that organizations remain focused on external threats such as viruses, while internal threats are consistently under-emphasized. Companies will readily commit to technology purchases such as firewalls and virus protection, but are hesitant to assign priority to human capital.

“While the public’s attention remains focused upon the external threats,” Bennett said, “companies face far greater damage from insiders’ misconduct, omissions, oversights, or an organizational culture that violates existing standards. “Because many insider incidents are based on concealment, organizations often are unaware they’re being victimized. Too many organizations feel that information security has no value when there is no visible attack. This is a perception that has remained unchanged over the decade that Ernst & Young has been conducting this survey.”

Companies should instead place more emphasis on creating a security- conscious culture that includes setting the right “tone at the top” — this is vital in changing the way organizations approach information security, Bennett believes. “Companies can transform their view of information security, and approach it as a way to gain competitive advantage and preserve shareholder value, rather than merely consider it a necessary cost of doing business,” he said. “However, this transformation must be led by a visible shift in attitude from the CEO and the board. At present, only 20 per cent of organizations view information security as a CEO-level priority.”More could and should be done to transform the skills and awareness of their people, who often present the greatest opportunity for vulnerabilities – and convert them into its strongest layer of defense.”