Bosses 'too trusting' of outsourcer's security

CEOs aren't taking the care that they should with their customers' data when they outsource, according to a new survey of senior management.

The Ernst & Young Global Information Security Survey queried 1,233 companies from 70 countries and found that most were trusting their outsourcer's security to chance rather than actively tracking how secure data is.

Of those questioned by Ernst & Young, 70 per cent of companies fail to regularly audit their outsourcer to see whether it comes up to the same security standards of those of its employer and 80 per cent don't measure if their outsourcers are compliant with the same regulatory standards as they are.

Industry's lack of security-savvy is placed firmly at the door of the higher-ups.

"As more organisations enter into close collaboration with other organisations, the less likely that senior management truly comprehends the organisation's ever-growing risk dependencies," the report says. "Senior management is more trusting than prudent."

Although execs might be trusting of the sanctity of their outsourcers, they have equal faith that their own organisation is protecting its data safely.

In the event of a "serious disruption", 10 per cent of those queried thought their employers would be able to continue operations and 14 per cent had the same confidence an offshore operator could do the same.

However, few bosses have the facts and figures in front of them to know whether their firm has got its data in the digital equivalent of a cardboard box or Fort Knox, with nearly 70 per cent of boards not receiving an update on their company's security status and some 20 per cent of those queried saying they didn't think that their businesses thought security was a CEO-level priority.

"Organisations apparently continue to rely on luck rather than proven information security controls," the report says.

Bosses may be in the dark when it comes to security but they'd like their partners to be more so, it seems. Fifty-five per cent of respondents said they wouldn't tell their business partners about any security glitches for fear of "a negative impact on their competitive stance, public image and stock value".