Top executives and company directors are making cyber andinformational security a top priority now more than ever, accordingto two Ernst and Young consultants introducing the findings ofE&Y's 2011 Global Information Security Survey at amedia lunch this week.

According to the survey, 72% of the more than 1,700 informationsecurity and IT professionals in 52 countries report increasinglevels of risk due to external threats.

Attacks are growing in sophistication and complexity where nowthey target specific people and behavior in a company—like topexecutives or individuals who travel in foreign countries—ratherthan its systems, said Jose Granado, principal and Americas'practice leader for Information Security Services. He was joined byChip Tsantes, principal in the financial services office where heleads the information security practice.

Raising the stakes are advanced persistent threat (APT) attacksthat usually require user interaction, focus on a single target,collect and funnel out information over an extended period of timeand operate under the radar. APT attacks, which could be the workof nation states, seek to steal intellectual property, classifiedinformation and corporate secrets to gain competitive advantage innegotiating contracts or buying terms. Typically, companies remainunaware until a government agency like the FBI or the SecretService comes calling six months later, said Tsantes.

Signature based anti-virus software, which identifies viralpatterns, is useless against the new malware that changesdynamically. Combating APTs requires a different mindset. IT mustconstantly monitor the entire network looking for anomalies,behavior that is out of the ordinary, and then root out the cause,said Granado.

CEOs and boards are looking to assemble security operationscenters or threat response teams to be very pro-active, he said.The survey shows 59% of respondents expect their security budgetsto increase next year.

Meanwhile, tablets, mobile devices and social media are seepinginto the enterprise and bringing risk with them. One in fiverespondents said their companies do not permit tablets for businessuse and do not plan to allow it, a policy likened to sticking theirheads in the sand. A better plan would be to provide a guestnetwork for employee devices so companies can monitor thetraffic.

In financial services, “companies should assume that everydevice a consumer has has been compromised and should securefinancial transactions in a way that recognizes that,” saidTsantes.

And then there is the cloud, which is fueling the growth ofmobile computing. About 60% of survey respondents are using thecloud or moving toward it, while 52% say their company is doingnext to nothing to mitigate cloud risks. The Cloud SecurityAlliance is leading the way to a best practices framework, Granadosaid.