Information security: 'Not my problem'

Information security is always someone else's problem, according to senior non-IT executives in a survey commissioned by NTT Com Security.

Playing the blame game in the boadroom
Playing the blame game in the boadroom

Awareness for cyber-security as a risk has risen, but as Simon Church, chief executive officer at NTT Com Security explained to SCMagazineUK.com: “There is still a high level of misunderstanding, indifference and complacency, and failure to rank information security as a critical risk."

The figures in 'The global risk:value' report, back up this view, based on a survey of 800 business decision-makers (not in an IT role) in the UK, Australia, France, Germany, Hong Kong, Norway, Sweden and the US, showing that 19 percent think there would be no significant impact on their revenue from a data breach and 28 percent admit they do not know what the financial implications would be.  

Yet on average, UK companies estimate a drop in revenue of  seven percent and a quarter say it would take between one and three months to recover, with five months being the average in both the UK and across all eight countries.

Only 52 percent of UK executives agree they are kept fully up-to-date by their IT security team about data attacks and potential threats – below the global average (59 percent) and one of the lowest figures for all eight countries. Over a third (38 percent) do not know what their company insurance covers in the event of a security breach or data loss – the highest percentage for any country except France (45 percent).

This disregard extends to budgets, with a quarter of UK executives not knowing how much of their IT budget is spent on data security – the highest of any country. Only six percent see poor data security as the single greatest risk to their business, the lowest for all countries, except Australia – and well below the average of nine percent across all eight countries. And some are outright negative, with 52 percent viewing data security as expensive, and 21 percent associating it with being disruptive.

As a result, only 49 percent of UK executives believe their critical data is fully secure while 56 percent agree they are likely to suffer a security breach at some point  compared to 63 percent globally. 

Bob Tarzey, analyst and director at Quocirca Ltd, told SCMagazineUK.com: “Execs should be worried for two reasons. First, there is a compliance issue. EU and UK DP law deems senior execs to be data controllers, they are ultimately responsible for protecting regulated personal and financial data and the financial penalties for failure are set to rocket.

“Second, it is increasingly evident that any company's products plans and blue prints are subject to theft by unscrupulous competitive organisations based anywhere on the planet. Losing control of new ideas is more of a threat to the future of many businesses than poor compliance.”

When it comes to insurance, 72 percent believe it is vital that their organisation is insured for data security  breaches, but only 54 percent believe that their company insurance currently covers the financial impact of both data loss and a security breach. 

Church comments: “People don't know if they are fully covered for a security breach – especially after Target – and even then it's often brand damage that's more important. Insurance can make some people feel, ‘I'm OK' regarding info-security – but you're not.

Garry Sidaway, senior vice president of security strategy and alliances, NTT Com Security, said in an email to journalists: “Unfortunately, security at the board level still tends be associated with data protection and compliance, when in fact securing data properly is absolutely critical to enabling businesses to thrive and survive.  There's also a growing disconnect between the cost of breaches and the importance that organisations place on IT security to drive these costs down.”

Only 49 percent of UK respondents report that all critical data is ‘completely secure' compared to 66 percent in the US and 54 percent in Australia.  Hong Kong ranked lowest with just 29 percent.  Consumer customer data was ranked as the most important data they need to protect by 34 percent of UK executives, with business customer data second (33 percent), and employee data third (27 percent).

There was no overwhelming support for shared responsibility when it came to mobile device use either, with 48 percent of UK respondents depending on their IT security team to allow them to use and access work-related data safely whatever device they are using, 34 percent seeing it as a joint responsibility between themselves and the security team and a fifth using personal devices not approved by IT security for work purposes.

In an email to SC, Mike Loginov C|CISO at Ascot Barclay Cyber Security Group commented: "The growing list of compromised organisations that have suffered serious damage to operations, executive reputations and share holder interests must act as a wake up call for all 'C' level executives that still believe cyber security is an IT (only) issue." 
 
He adds: "The pervasive nature of the internet coupled to the fast paced growth of the digital economy and the fusion of the online world with all aspects of business and indeed life mean that new attitudes towards cyber defence along with innovative ways of working are now essential to the success of any business."

Church admits that the findings are not a huge surprise, telling SC: “The only surprise is that I am not surprised. We are halfway along the track in that there is now recognition of this as an issue, but everyone assumes it for someone else - but it is for all of us to address.  We all agree there should be some ‘Kyoto agreement' on cyber-security, and although implementation will be difficult, we need to agree how to tackle this issue.  

"There are not enough people with the right knowledge, so how do we get it off the ground to face increasing breaches, loss of IP and other theft – as well as growth in hackivism? It needs to be a joint industry initiative."