Just one in five (22%) business decision makers feel all of their company’s data is secure, according to recent research by global information security and risk management company NTT Com Security.
The survey of 1000 respondents revealed that two-thirds are resigned to suffering a security breach at some point in the future, with the cost of recovering from an attack reported to start from around $1 million.
Although more than half (54%) of those surveyed said information security forms a vital part of their business strategy and 18% agreed that a weak security infrastructure is a significant risk, three in ten felt that more is spent on HR than information security.
However, the study did reveal that 13% of an organization’s IT budget is now being put towards security, a slight improvement on the 10% reported in a similar survey conducted by NTT back in November 2014.
Garry Sidaway, SVP Security Strategy and Alliances at NTT Com Security, believes the findings from this latest report suggest the effects of the high-profile data breaches we saw in 2015 are starting to hit home. He said:
“Attitudes to the real impact of security breaches have started to change, and this is no surprise given the year we have just had. We’ve seen household brands reeling from the effects of major data breaches, and struggling to manage the potential damage to their customers’ data – and the cost to their reputation. While the majority of people we spoke to expect to suffer a breach at some point in the future, most also expect to pay for it – whether that’s in terms of remediation costs, customer confidence or possibly even their jobs.”
Almost all respondents admitted that if information was stolen from their organization there would be both external and internal impacts such as loss of customer confidence (69%) and damage to reputation (60%). The report also found that just 41% of companies have some form of insurance covering them for the financial impact of data loss and security breaches, with 12% not covered for either. However, more than half (52%) said they have a formal information security policy in place and a further 27% are in the developmental stages of implementing one.
Stuart Reed, Senior Director at NTT Com Security, feels this represents a positive step towards the goal of secure data privacy within organizations, even if there is still work to be done. In an email to Infosecurity, he said:
"It’s really encouraging to see that the majority of UK businesses now have or are working to have a formal IT security policy in place, although it seems that many still require help in implementing these policies, given that a lack of compliance and incident response planning are both cited as reasons that any relevant insurances could be invalidated."
Dr. Adrian Davis, Managing Director EMEA, (ISC)2 told Infosecurity that whilst it is refreshing that organizations now understand that breaches or incidents will occur, their belief that they will suffer both financial and non-financial losses is a cause for concern.
He added:
“Other noticeable results from this survey are that just over one in five (22%) respondents feel their data is secure – a realistic viewpoint I think, as the modern organization doesn’t typically keep its data in one secure location; rather it is spread across many different devices, stored in the cloud and shared with suppliers and consumers. It may be that the organization does secure their data but they are unsure of how other organizations protect the data the organization has shared.”
“I’m also interested by the spending comparison with HR. It’s really difficult to say how much organizations should spend on security: it’s a business decision, a risk-based decision, a capability-based decision. You can buy lots of security technology, but if you don’t have the staff to implement or use the technology – or staff who can understand the value of that technology, then it could turn out be a waste of money. Investing in staff at all levels, enabling them to be digitally-literate and security aware and recruiting people with these skills is just as valuable as buying technology and making direct information security investments. Cybersecurity is a people issue and having good staff, well trained, is vital.”