A tipping point for effective corporate security measures?
A tipping point for effective corporate security measures?

It's a truism that a business is only as secure as its weakest point, so businesses should have security systems in place because staff members are going to mess up at some point.

What is less clear is at what point do companies connect those systems and employee behaviour and at what stage do staff display a security-conscious approach to daily operations?

We investigated security attitudes in 100 UK enterprises (grouped into 1,000-3,000 sized firms and those with more than 3,000 employees) and compared them with responses to the same survey three years ago. We found to our surprise that those firms spending ten per cent of corporate IT budget on security seem to exhibit more signs of security awareness among staff.

In the age of cloud and social media, staff members are still perceived as the weak link. Threats that most concern enterprises are: employee attitude to security protocols (77 per cent); malware (76 per cent); use of personal cloud storage (70 per cent); malicious non-commercial external attacks (70 per cent); and commercially-driven attacks (60 per cent).

The next five threats seemed to emphasise the risks surrounding organisations mobilising their data. They were: personally owned devices (59 per cent); cloud software (58 per cent); mobile devices (57 per cent); internal threats (54 per cent) and supply chain threats (31 per cent).

Enterprises are certainly increasing their level of investment to meet these risks. Almost two-thirds of the survey are spending more on security than they did three years ago, irrespective of organisation size or sector.

Larger enterprises' average increase in security spend is considerable – 31 per cent, against 23 per cent for 1,000-3,000 employees companies. In addition, the vast majority (84 per cent) of those surveyed have a formal process for reviewing security protocols and over two-thirds (69 per cent) review their security partners or providers.

Companies still seem to struggle with setting up more sophisticated and proactive risk management systems however, and security measures that by their nature demand more active engagement and education of their staff.

Over one-third (36 per cent) of enterprises do not formally review security providers and protocols at all. A key factor in uniting different security systems appears to be how much of the enterprise's IT budget is dedicated to security. Nearly three out of four enterprises that ring-fence more than ten per cent of the overall IT budget for security do review their security protocols as well as providers. In enterprises where the security spend is less than five per cent of overall budget, it's only just over half.

The severity of threats to business seems to have been communicated to senior management teams - who continue to get the credit card out – but not to the businesses as a whole. Asked to rate their confidence in their security controls or protection, only 42 per cent said they were "entirely confident" about their organisation's response to any of the ten threats identified.

Companies still regard staff security awareness as a critical point of failure. Asked whether information security is regarded by employees as a top priority when using company IT, only 24 per cent of respondents agreed. In firms spending more than ten per cent of budget on security, this figure was higher, at 41 per cent. Tellingly, none of the firms that are spending five per cent or less of the IT budget on security agreed with this point.

Interestingly, firms getting staff to adopt ever more complicated security set-ups and checks in their working lives may not mean that productivity is undermined – information security systems simply represent accepted (if unloved) workforce business procedures.

Nearly two-thirds (65 per cent) said their colleagues regard reviewing security protocols as a hindrance - but almost the same number of respondents (64 per cent), in those firms that do not review either security protocols or providers said the same thing.

Business security is a constantly changing task for enterprises. Company boards are focusing on workplace tools and staff behaviours. Our survey shows a clear link between those firms with a higher level of staff threat awareness, commitment to using security protocols and continued investment in IT security measures.

More proactive policies only highlight the complex nature of the task, however. Those firms spending more on security tend to display more anxieties than the lower spenders. Moreover, 91 per cent of firms that are upping spending compared with three years ago admit that they never feel 100 per cent protected.

Smaller firms are generally less concerned by threats than bigger companies; this could be interpreted as complacency or ignorance of the threats ranged against them.

As social media and the cloud open up information assets, the most risk-aware and security-focused companies are never satisfied with their level of protection. They are well aware of the wider risks when staff use more open business systems.

When it comes to information security, firms will always have to invest more and better educate staff on best practices - but there is a touch of the self-fulfilling prophecy here. While the more risk-aware firms analyse threats and invest in different security systems, others simply spend whatever it takes - rather like the householder that takes out comprehensive insurance without ever evaluating or modifying their lifestyle.

Graham Opie is a director of Vanson Bourne