Spend on information security is on the rise, however, a survey from KPMG UAE shows that not enough companies are taking a holistic approach to their business continuity and information security planning in the long term. “The survey shows that companies in the UAE are increasingly depending on IT, and their spend has risen accordingly,” commented Rajeev Lalwani, Head of IT Advisory practice for KPMG in the UAE and Oman.
“Yet 86% of companies are not considering international security standards such as ISO27001 when implementing information security management systems, and 55% allocate funds to projects on a case by case basis. Organizations need to treat security and continuity issues as business issues and embed them in the larger context of risk management policies and procedures. When it comes to information security, there is no point in investing in expensive security technology tools to protect your digital customer information if the same information remains unprotected in paper form.”
Integrating a robust incident response mechanism is a significant indicator of an organization’s preparedness for security breaches. The survey showed that only 15% of companies in the UAE had considered round the clock monitoring, with the remaining 85% ranging between purely reactive systems and informal levels of monitoring and logging.
Viruses were perceived to be the main security issue, followed by spamming, and internal threats. Only 12 percent of the respondents claimed that their information security function lies outside the IT department, with direct reporting to the board. This again highlights the need for companies in the UAE to examine the extent to which their information security policies are interlinked with overall company policies.
On the business continuity side, only 20% of companies surveyed have a continuity plan that covers the entire organization, and over half the respondents focused their business continuity initiatives mainly on technology and related systems and processes.
A greater understanding is required on the need for geographic dispersion of disaster recovery sites. Most companies surveyed have, or plan to have, secondary recovery sites within the same city or location in which their business operates. This leaves businesses vulnerable in the event of a major disaster in that same city or location. The survey also reveals that organizations recognize people as one of their weakest links. Processes are exposed to risks due to human error, negligence, lack of awareness or even the lack of staff availability during a disruption. Investment in business continuity appears to be constrained, with a majority of firms spending in the lower end of the investment spectrum. Key drivers in the decision to implement a business continuity management program were customer service, compliance, and safety of staff.
As organizations in the UAE grow regionally and globally, it is important that they start considering aligning their security and continuity programs with internationally recognized security and business continuity standards.
