The Bunker has now analysed the data it collected from an approach to more than 2500 senior IT managers and directors, and has published the results in its Security Survey 2012 – and like many other surveys it suggests a continuing complacency within senior management. “Have the high profile security breaches in 2011 made your organization more aware of the need for data security?” asked The Bunker. Unsurprisingly, more than two-thirds of the respondents confirmed that they are now more aware of the need for data security.
But despite this increased awareness, almost half then admitted that they have done nothing to increase their security measures. “Of those who did take action,” says the report, “two out of three focused on digital and IT measures, while half concentrated on physical security and people. Almost 40% of those surveyed considered at least one aspect of their security ineffective, potentially compromising other areas.”
This lack of action in combatting security mirrors an uncertainty in how to treat security – for example, there is little consensus on who should own company security. Almost 40% of companies place security as the responsibility of the IT department, meaning overall business risk management and human resource concerns will necessarily take a lower priority. In fact, more than 2% of respondents said nobody had responsibility for security. Even when all of the different directors are included, less than two-thirds of organizations nominate just one or more C Level Exec/Director as having all or some responsibility for security. More worrying, comments the report, “is the third (34.9%) of organizations where security is not a C or Director level responsibility, with the onus solely being put on employees at management level.”
The lack of consensus in how to tackle security also shows up in attitudes towards compliance and regulations. Most companies believe that regulations are a good idea, but... nearly ten percent believe the bar is set too high, nearly 20 percent think it is set too low, and nearly 15 per cent consider them to be an unnecessary distraction. Only just over one-third of respondents think they are a good idea and cover the right level of detail. Individual replies included, “Regulations are well-intended but fail to improve data security...”, “some individuals treat it as check box security...”, and “many firms pay lip service and do as little as possible.”
The inevitable conclusion of this survey is that business has not yet developed a uniform view on the importance of security, nor on how nor by whom responsibility should be taken. “Many businesses fail to give security the attention it deserves until they themselves have been the victim of a breach”, commented Peregrine Newton, The Bunker’s CEO. “Yet by this point, the impact will often already have been devastating in both reputational and financial terms. In a difficult financial climate it’s imperative that organisations heed the warnings of previous well-publicised attacks on their peers.”