Have we missed the boat when it comes to tackling cyber crime? Davey Winder tries to find out...
COMMENT: With the technology, media and telecommunications (TMT) sector coming under increasing scrutiny from cyber criminals, perhaps the question I should be asking is whether TMT has turned into ITSec TNT?
With newly published research suggesting that 75 per cent of those enterprises within the TMT sector have reported a security breach so far this year - an increase of 13 per cent on the previous year - there's a real danger that data security will implode if nothing is done to stop the rising threat tide. Especially when you look closer at that research from Deloitte and discover that IT security budgets have largely, erm, gone precisely nowhere in response to the threats and stayed totally static.
While the optimists, and bean counters, will be applauding the fact that IT security budgets have not actually fallen, I will continue to shout as loudly as I can that they are missing the point.
The fifth 'Global TMT Security Survey' which Deloitte pitch as being "aimed at providing TMT companies with insight into the security and privacy challenges and threats they face or will face as an industry" makes for somewhat chilling reading. Revealing that while many enterprises talk the security talk, few seem capable of walking the walk, or at least walking in a straight line towards data security at any rate.
OK, I will readily admit that when it comes to IT security strategy I am very much a glass half empty kind of a guy, preferring to plan for the worst case scenario rather than march zombified and ever onward with fingers crossed that it will never happen to me. Which is why I find it hard to understand how any serious enterprise, as in serious about keeping data safe and secure, will think that a 'stable security budget' is good enough when the cold, hard facts are slapping them in the face with rising breach rates and ever more complex threat vectors. So while the optimists, and bean counters, will be applauding the fact that IT security budgets have not actually fallen, I will continue to shout as loudly as I can that they are missing the point.
Not that I really need to shout that loud as it would appear that those businesses whose budgets have remained static are well aware that this is not a good thing. According to the Deloitte research half of those questioned said that they considered the lack of budget (along with a lack of personnel, but it amounts to pretty much the same thing ultimately anyway) as being the biggest barrier to 'adequate' information security. And there we go again, with my pessimistic alarm bells ringing at the sound of someone using 'adequate' as an aspirational measure. Adequate is bean-counter-speak for least costly, within budget, value for money, cheap. Adequate is not secure at any cost. Adequate is not as secure as we can make it. Adequate is not, I repeat, acceptable.
Nor is it acceptable, I would suggest, for a quarter of CISOs not to be reporting back to their senior executive team.
I am not the only one with this concern, James Alexander is cyber security partner at Deloitte and he insists that "information security across the TMT industry is a matter that requires C-level attention, and organisations must raise awareness of the issues and train employees how to deal with them. The bar is being raised to a new level, and we need to step up". I couldn't agree more.
That stepping up has to include improving the frankly miserable statistic of only 18 per cent of TMT organisations having established clearly defined practices to inform customers and 'external stakeholders' about the risks to their data, and the 35 per cent with 'partially defined' policies. Mind you, it wouldn't hurt to try and improve on the 39 per cent of workers who follow IT security policy in the enterprise, another staggeringly depressing figure thrown up on this occasion by research from privilege management specialists Avecto.
So, to sum up, it isn't too late to stem the cyber crime tide. However, unless you want to get seriously wet and risk seeing your data drowning in these dangerous seas, you had better start not only taking the subject more seriously but investing in suitably robust defences NOW.