In-depth

Is security too low on the business agenda?

Company boards are failing to put enough stress on cybersecurity, consultants warn. This could leave businesses vulnerable

Cyber security Francis Maude

Inside the enterprise: Cybercrime is, unfortunately, a fact of corporate life. The most recent UK government study, carried out for the Department for Business, Innovation and Skills, found the number of security breaches suffered by firms had actually fallen somewhat but the cost of breaches has risen.

The 2014 Information Security Breaches Survey, which was carried out by consulting firm PwC, found that 81 per cent of enterprises suffered a security breach, down from 86 per cent in 2013. Among smaller firms, 60 per cent reported breaches, down from 64 per cent the year before.

But there should be no need for complacency: the researchers found both the "severity and impact" of breaches have increased. The average cost for a breach at a large organisation ranges between 600,000 and 1.15m; for smaller companies the figure was between 65,000 and 115,000. The Government survey also found that companies were increasing their investment in cyber security.

I see a real risk of boardrooms doubting the severity of the issue and the extent of their vulnerability.

But another, more broadly focused report this time from consulting firm KPMG suggests information security is by no means at the top of the corporate agenda.

The firm's annual Business Instincts Survey, a study of 500 senior executives, found that cyber security ranked third in boardroom priorities, below the need to invest in people skills, and even below plant and machinery purchases.

KPMG found businesses do realise they need to increase spending on cyber security, and that there was evidence of under investment in protection and countermeasures over the last few years. But boards are also being put off investment by what many business leaders see as scaremongering.

"Every day we hear of new cyber attacks and incidents I see a real risk of boardrooms doubting the severity of the issue and the extent of their vulnerability," cautions Martin Tyley, a partner in KPMG's cyber security practice.

He believes that instead of trying to bolt on security after the event, companies will do better to build security into their business processes, and take a positive approach to managing the risk. The threat, he suggests, will not go away.

The accusation of scaremongering is, of course, hard to refute. There will always be company executives who claim that spending on security is unnecessary, just as those who will be tempted to skimp on insurance until their company falls victim to fire or flood.

The challenge is for IT security teams to present the risks in a measured, realistic way, rather than through fear, uncertainty, and doubt.

"The scale and severity of security threats for businesses is increasing every day and as a result, security can no longer be viewed as a segregated backroom' issue," warns Chema Alonso, CEO of Eleven Paths, the information security subsidiary of Telefonica.

"The security of information and systems should be an issue which permeates to the very top levels of a company and rightfully so given the commercial, legal and reputational damage caused by security breaches."

Stephen Pritchard is a contributing editor at IT Pro.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Biden nominees highlight tough cyber security challenges
cyber security

Biden nominees highlight tough cyber security challenges

20 Jan 2021
Report: Security staff excluded from app development
cyber security

Report: Security staff excluded from app development

20 Jan 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

20 Jan 2021
SolarWinds hackers hit Malwarebytes through Microsoft exploit
hacking

SolarWinds hackers hit Malwarebytes through Microsoft exploit

20 Jan 2021

Most Popular

IT retailer faces €10.4m GDPR fine for employee surveillance
General Data Protection Regulation (GDPR)

IT retailer faces €10.4m GDPR fine for employee surveillance

18 Jan 2021
Citrix buys Slack competitor Wrike in record $2.25bn deal
collaboration

Citrix buys Slack competitor Wrike in record $2.25bn deal

19 Jan 2021
Should IT departments call time on WhatsApp?
communications

Should IT departments call time on WhatsApp?

15 Jan 2021