By Agence France-Presse Global corporations are failing to safeguard their information networks against potent threats from viruses, worms and especially their own employees, according to a recent report by consultancy firm Ernst and Young. The Global Information Security Survey said while corporate leaders were increasingly aware of the risks to their information security from people within their organizations they are not acting on the knowledge. "More than 70% of the companies surveyed failed to list training and raising employee awareness about information security issues as a top initiative," the report said. Ernst and Young polled more than 1,233 organizations from across 70 countries. "While organizations remain focused on external threats such as viruses, the internal threats are constantly being under-emphasized," says Terry Thomas, partner, Ernst and Young's Risk and Business Solution Practice. "People and organizational issues are equally important because many insider incidents are based on concealment, organizations are often unaware that they are being victimized." The report said as corporations are increasingly outsourcing business to third-party vendors outside their region it was becoming more difficult to retain control over the security of their information. "The more likely and most lethal threats are those originating from within an organization's growing extended enterprise," it said. The report said 80% of the organizations surveyed failed to conduct regular assessment of their IT outsourcer's compliance with the host organization's security requirements. It said most organizations felt that information security had no value when "there is no visible attack. "This perception has remained unchanged over the decade that Ernst and Young has been conducting the survey. The top-most obstacle to effective information security today is the lack of security awareness by users," says Thomas. He said although 67% of the organizations said information security was "very important, persistent gaps continue to exist in the amount of diligence and resources that are deployed to improve the degree of protection. "Information security threats are more lethal today. We expect that incidents, particularly internal ones, will proliferate unless senior management makes information security a core management function," Thomas says. Copyright Agence France-Presse, 2004