Is security too low on the business agenda?

Company boards are failing to put enough stress on cybersecurity, consultants warn. This could leave businesses vulnerable

Cyber security Francis Maude

Inside the enterprise: Cybercrime is, unfortunately, a fact of corporate life. The most recent UK government study, carried out for the Department for Business, Innovation and Skills, found the number of security breaches suffered by firms had actually fallen somewhat but the cost of breaches has risen.

The 2014 Information Security Breaches Survey, which was carried out by consulting firm PwC, found that 81 per cent of enterprises suffered a security breach, down from 86 per cent in 2013. Among smaller firms, 60 per cent reported breaches, down from 64 per cent the year before.

But there should be no need for complacency: the researchers found both the "severity and impact" of breaches have increased. The average cost for a breach at a large organisation ranges between 600,000 and 1.15m; for smaller companies the figure was between 65,000 and 115,000. The Government survey also found that companies were increasing their investment in cyber security.

I see a real risk of boardrooms doubting the severity of the issue and the extent of their vulnerability.

Advertisement - Article continues below

But another, more broadly focused report this time from consulting firm KPMG suggests information security is by no means at the top of the corporate agenda.

The firm's annual Business Instincts Survey, a study of 500 senior executives, found that cyber security ranked third in boardroom priorities, below the need to invest in people skills, and even below plant and machinery purchases.

KPMG found businesses do realise they need to increase spending on cyber security, and that there was evidence of under investment in protection and countermeasures over the last few years. But boards are also being put off investment by what many business leaders see as scaremongering.

"Every day we hear of new cyber attacks and incidents I see a real risk of boardrooms doubting the severity of the issue and the extent of their vulnerability," cautions Martin Tyley, a partner in KPMG's cyber security practice.

He believes that instead of trying to bolt on security after the event, companies will do better to build security into their business processes, and take a positive approach to managing the risk. The threat, he suggests, will not go away.

The accusation of scaremongering is, of course, hard to refute. There will always be company executives who claim that spending on security is unnecessary, just as those who will be tempted to skimp on insurance until their company falls victim to fire or flood.

The challenge is for IT security teams to present the risks in a measured, realistic way, rather than through fear, uncertainty, and doubt.

"The scale and severity of security threats for businesses is increasing every day and as a result, security can no longer be viewed as a segregated backroom' issue," warns Chema Alonso, CEO of Eleven Paths, the information security subsidiary of Telefonica.

"The security of information and systems should be an issue which permeates to the very top levels of a company and rightfully so given the commercial, legal and reputational damage caused by security breaches."

Stephen Pritchard is a contributing editor at IT Pro.

Featured Resources

Application security fallacies and realities

Web application attacks are the most common vulnerability, so what is the truth about application security?

Download now

Your first step researching Managed File Transfer

Advice and expertise on researching the right MFT solution for your business

Download now

The KPIs you should be measuring

How MSPs can measure performance and evaluate their relationships with clients

Download now

Life in the digital workspace

A guide to technology and the changing concept of workspace

Download now



Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

4 Nov 2019
Business strategy

The pros and cons of net neutrality

4 Nov 2019
Domain Name System (DNS)

Microsoft embraces DNS over HTTPS to secure the web

19 Nov 2019
social media

Can Wikipedia founder's social network really challenge Facebook?

19 Nov 2019