Odd Couple: US firms worry about breaches; UK businesses eye compliance concerns

For UK organizations, compliance and a sense of responsibility to protect information drive IT security funding, while businesses in the US are looking to prevent breaches or other security exploits.

The twin research reports on US and UK spending priorities, carried out by the Ponemon Institute on behalf of Faronics, deduces that the market differences are simply organic reactions to different threat conditions. For instance, the focus on exploit prevention in the US (63%) likely stems from the fact that many US organizations report multiple data breaches, with 30% of respondents experiencing more than three incidents in a year. In the UK, despite staggering growith in breaches overall, just 19% cite more than three per year.

“The number of US organizations admitting that security funding is driven by the need to respond to previous data breaches is…notable, and suggests that firms need to take heed from other high-profile security incidents and urgently up the ante on proactive security, rather than waiting for the inevitable to happen,” said Dmitry Shesterin, vice president of product management at Faronics.

Meanwhile, the ascendency of compliance (54%) and a sense of responsibility to protect information (45%) among UK respondents makes a lot of sense given that 62% of UK organisations name the complexity of regulatory requirements as the biggest barrier to security. In stark contrast, just 7% of US respondents named compliance violations as the most serious threat to their business.

“These findings seem to suggest that the UK organizations take a generally more proactive approach to data security than their US counterparts,” said Shesterin. “This could be down to numerous factors, including the fact that the UK has an incredibly stringent regulatory environment, so it becomes inevitable that organizations across the country would see compliance as a top priority for spending."

In terms of spending justification, aka return on investment, the companies’ sense of the benefits of spending on security differ from the actual drivers that they cite. A reduced number of data breach incidents (63%) was seen as the greatest benefit of installing security solutions in the UK, while most US respondents stated that they gain better employee productivity due to machine availability (46%).

“While there are clearly different factors affecting purchasing decisions on both sides of the Atlantic, the ultimate goal should be to select solutions that will continuously protect confidential data amid today’s rapidly changing threat patterns,” Shesterin said.

However, when it comes to the most important considerations when selecting which security and data protection options to implement, the market differences vanish. All survey respondents on both sides of the pond said that low purchase cost, ease of deployment and low running costs are top requirements. Positive peer reviews and interoperability meanwhile were at the bottom of the heap.

Organizations in both countries also spend an almost equal proportion of money on security, the study found. UK organizations dedicate an average of 13% of total IT budget, with the US slightly higher at 15%. 

“Considering the increased likelihood of indiscriminate cyber attacks on businesses worldwide, organizations in both countries report relatively low rates of security spending,” continued Shesterin. “Though the appropriate amount that should be spent is debatable, it is absolutely critical that this investment is directed at the most suitable defenses against modern day threats such as social engineering, spear phishing and other tactics of increasingly determined hackers.”

Finally, the survey asked about risk management strategies, and what respondents considered to be the most valuable assets that they hold.  In both countries, security risk is identified mostly through informal observations by supervisors and managers (74% UK, 67% US), and – perhaps unsurprisingly – intellectual property poses the highest level of risk to organizations if lost or stolen, closely followed by customer data.

What’s Hot on Infosecurity Magazine?