Is security too low on the business agenda?

Cyber security Francis Maude

Inside the enterprise: Cybercrime is, unfortunately, a fact of corporate life. The most recent UK government study, carried out for the Department for Business, Innovation and Skills, found the number of security breaches suffered by firms had actually fallen somewhat but the cost of breaches has risen.

The 2014 Information Security Breaches Survey, which was carried out by consulting firm PwC, found that 81 per cent of enterprises suffered a security breach, down from 86 per cent in 2013. Among smaller firms, 60 per cent reported breaches, down from 64 per cent the year before.

But there should be no need for complacency: the researchers found both the "severity and impact" of breaches have increased. The average cost for a breach at a large organisation ranges between 600,000 and 1.15m; for smaller companies the figure was between 65,000 and 115,000. The Government survey also found that companies were increasing their investment in cyber security.

I see a real risk of boardrooms doubting the severity of the issue and the extent of their vulnerability.

But another, more broadly focused report this time from consulting firm KPMG suggests information security is by no means at the top of the corporate agenda.

The firm's annual Business Instincts Survey, a study of 500 senior executives, found that cyber security ranked third in boardroom priorities, below the need to invest in people skills, and even below plant and machinery purchases.

KPMG found businesses do realise they need to increase spending on cyber security, and that there was evidence of under investment in protection and countermeasures over the last few years. But boards are also being put off investment by what many business leaders see as scaremongering.

"Every day we hear of new cyber attacks and incidents I see a real risk of boardrooms doubting the severity of the issue and the extent of their vulnerability," cautions Martin Tyley, a partner in KPMG's cyber security practice.

He believes that instead of trying to bolt on security after the event, companies will do better to build security into their business processes, and take a positive approach to managing the risk. The threat, he suggests, will not go away.

The accusation of scaremongering is, of course, hard to refute. There will always be company executives who claim that spending on security is unnecessary, just as those who will be tempted to skimp on insurance until their company falls victim to fire or flood.

The challenge is for IT security teams to present the risks in a measured, realistic way, rather than through fear, uncertainty, and doubt.

"The scale and severity of security threats for businesses is increasing every day and as a result, security can no longer be viewed as a segregated backroom' issue," warns Chema Alonso, CEO of Eleven Paths, the information security subsidiary of Telefonica.

"The security of information and systems should be an issue which permeates to the very top levels of a company and rightfully so given the commercial, legal and reputational damage caused by security breaches."

Stephen Pritchard is a contributing editor at IT Pro.