The majority of Energy Companies do not have a business continuity management strategy or plan, according to Deloitte survey.
Deloitte 2010 Energy and Resources (E&R) global security survey titled ‘Continuing the Journey’, revealed that investment in information technology continued on an upward trend throughout 2010 with information security functions rising steadily in companies within the sector.
The survey indicated that in general Energy and Resources organizations are often not equipped with the latest security technology and thus their ability to mitigate risk may be limited.
However, it also revealed that many firms reduced their security budget throughout the year.
Deloitte’s latest Energy and Resources survey presents results that were collated from respondents in a wide range of organizations located in markets which include the Middle East and Asia, Europe, Latin America and the Caribbean, Asia Pacific, Canada, the US, UK, and Japan.
“Without continuous investment in security and innovation, organizations that had their budgets cut within the Middle East may be unlikely to keep pace with the growing threats from increasing sophisticated attacks and emerging technologies,” said Tariq Ajmal, partner in charge of information and technology risk services at Deloitte Middle East.
Only 22% of respondents consider their information security goals to be appropriately aligned with their overall business objectives.
As a result, many information security functions lack visibility and executive support. Only 17% of Energy and Resources organizations track and monitor the effectiveness of information security controls and have integrated reporting and measurement into their information security programme.
According to the survey respondents, security infrastructure improvement is a top security initiative; however, data protection, information security governance and training are also key endeavors they are undertaking.
A sizable number of E&R companies surveyed (38%) state that they are ‘late majority’ meaning that they use technologies that are proven. According to the study, technologies can only become proven over time; in the meantime, old hardware and out of date technology put data at risk.
The survey results indicate that priorities have shifted dramatically in 2010 and the focus was on improving the infrastructure, creating a robust strategy that deals with setting the overall control framework, and training employees.
Respondents cite increasing sophistication and proliferation of threats as a top concern that should be tackled by taking the initiative to improve the security infrastructure.
One of the main concerns of the Energy and Resources industry emerging in the survey is the accidental breaches of information technology originating from inside the organization. Top threats include, ‘non-intentional loss of sensitive information’ and ‘employee errors and omissions’. Respondents indicated that they plan to counter these threats with information security training and awareness programmes.
A major finding in the survey is that one of the biggest challenges when implementing a data protection program is identifying the data that needs protection. Today, many organizations don’t know what data they should be protecting.
“The Energy and Resources industry appears particularly vulnerable to breaches of information security and privacy. They handle large quantities of distributed sensitive information and their reputations and business success hinge on safeguarding this information. Failure to acknowledge that fact will be detrimental to their overall business,” Ajmal added.