In-depth

Is security too low on the business agenda?

Company boards are failing to put enough stress on cybersecurity, consultants warn. This could leave businesses vulnerable

Cyber security Francis Maude

Inside the enterprise: Cybercrime is, unfortunately, a fact of corporate life. The most recent UK government study, carried out for the Department for Business, Innovation and Skills, found the number of security breaches suffered by firms had actually fallen somewhat but the cost of breaches has risen.

The 2014 Information Security Breaches Survey, which was carried out by consulting firm PwC, found that 81 per cent of enterprises suffered a security breach, down from 86 per cent in 2013. Among smaller firms, 60 per cent reported breaches, down from 64 per cent the year before.

Advertisement - Article continues below

But there should be no need for complacency: the researchers found both the "severity and impact" of breaches have increased. The average cost for a breach at a large organisation ranges between 600,000 and 1.15m; for smaller companies the figure was between 65,000 and 115,000. The Government survey also found that companies were increasing their investment in cyber security.

I see a real risk of boardrooms doubting the severity of the issue and the extent of their vulnerability.

But another, more broadly focused report this time from consulting firm KPMG suggests information security is by no means at the top of the corporate agenda.

The firm's annual Business Instincts Survey, a study of 500 senior executives, found that cyber security ranked third in boardroom priorities, below the need to invest in people skills, and even below plant and machinery purchases.

Advertisement
Advertisement - Article continues below

KPMG found businesses do realise they need to increase spending on cyber security, and that there was evidence of under investment in protection and countermeasures over the last few years. But boards are also being put off investment by what many business leaders see as scaremongering.

Advertisement - Article continues below

"Every day we hear of new cyber attacks and incidents I see a real risk of boardrooms doubting the severity of the issue and the extent of their vulnerability," cautions Martin Tyley, a partner in KPMG's cyber security practice.

He believes that instead of trying to bolt on security after the event, companies will do better to build security into their business processes, and take a positive approach to managing the risk. The threat, he suggests, will not go away.

The accusation of scaremongering is, of course, hard to refute. There will always be company executives who claim that spending on security is unnecessary, just as those who will be tempted to skimp on insurance until their company falls victim to fire or flood.

The challenge is for IT security teams to present the risks in a measured, realistic way, rather than through fear, uncertainty, and doubt.

"The scale and severity of security threats for businesses is increasing every day and as a result, security can no longer be viewed as a segregated backroom' issue," warns Chema Alonso, CEO of Eleven Paths, the information security subsidiary of Telefonica.

"The security of information and systems should be an issue which permeates to the very top levels of a company and rightfully so given the commercial, legal and reputational damage caused by security breaches."

Stephen Pritchard is a contributing editor at IT Pro.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement

Recommended

Visit/security/encryption/355820/k2view-innovates-in-data-management-with-new-encryption-patent
encryption

K2View innovates in data management with new encryption patent

28 May 2020
Visit/software/video-conferencing/355410/zoom-50-adds-256-bit-encryption-and-ui-refresh
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020
Visit/security/hacking/355382/whatsapps-flaw-shoulder-surfing
hacking

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020
Visit/security/cyber-security/355368/microsoft-builds-ai-to-detect-security-flaws-with-99-accuracy
cyber security

Microsoft AI can detect security flaws with 99% accuracy

20 Apr 2020

Most Popular

Visit/operating-systems/microsoft-windows/355812/microsoft-warns-against-installing-windows-10-may-2020
Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
Visit/infrastructure/server-storage/355785/dell-emc-poweredge-r7525-review-an-epyc-core-density-to-make
Server & storage

Dell EMC PowerEdge R7525 review: An EPYC core density to make Intel weep

26 May 2020
Visit/infrastructure/network-internet/355792/intel-releases-wi-fi-and-bluetooth-driver-updates-for
Network & Internet

Intel releases Wi-Fi and Bluetooth driver updates for Windows 10

26 May 2020