Data breaches reported in the media is having a significant affect on the approaches to a business’s cyber-security and the priorities of its strategy, a new report found.
According to the Enterprise attitudes to cyber-security reported, published by Optiv Security, the biggest concern for firms was found to be ‘security breaches covered in the media’, with 60 percent saying this has the most significant impact on their approach and priorities.Changes in legislation and regulation have the second biggest impact (56 percent).
External factors take precedence over gaps identified by internal assessment (51 percent). According to the report, too many businesses are taking an outside-in approach to cyber-security, making it hard to truly align solutions with business goals and future risk management.
The report also found that changing technology is also having a big influence on cyber-security strategy. The proliferation of mobile applications has a major or significant impact on 79 percent of businesses – even more so than the need to understand gaps in their current security programmes. Cloud-based technologies follow closely behind, with 77 percent citing the migration to the cloud as having a major or significant impact.
According to the findings, a majority (58 percent) of IT leaders find it hard to get buy in for their cyber-security programmes, due to a lack of board understanding about the true risks and complexities of the threat landscape. But only 33 percent report back on the success of their programmes with either a live dashboard or regular reports showing key metrics.
The report concluded that an increased emphasis on business alignment is one way of addressing these challenges. "In terms of staff, for security strategies to work effectively, stakeholders must share priorities and be striving for the same goals," said the report’s authors.
Jake Olcott, VP Government Affairs at BitSight, told SC Media UK that an effective cyber-security strategy must receive board-level approval.
"Too many organisations leave cyber risk management to IT or IT security professionals to handle. This approach can result in poor prioritisation, misplaced resources, and other failures. Organisations with executive and board support for cyber-risk management are more likely to be successful in reducing risk," he said.
Ashley Hurst, partner, International Sector Leader, Digital Business at Osborne Clarke, told SC Media UK that there are many recent high profile data breaches and cyber-attacks.
"Most of the companies involved would privately admit that there are things that could be improved either to prevent the attack or in responding to it. It is easy to criticise after the event but cyber-criminals are using increasingly sophisticated methods and even the most robust defences are being penetrated," he said.
"Closing the loopholes and restoring security is only part of the battle - in the high profile cases the story often moves quickly from how the attack happened to how the company responded to it and communicated with its customers and other stakeholders. Those who have practiced their incident response procedures tend to fair better."