That total can be divided roughly in half, with £18 billion falling to lost revenue following successful attacks and £16 billion in the increased amount required to secure business against the ongoing threat. Shocking enough headline figures, but the real shocker can be found in the detail such as: 70 percent of Chief Technology Officers (CTOs) think their internal security policies block innovation to some extent, and 60 percent that the government should be doing more to help them.
‘The business and economic consequences of inadequate cyber-security' report reveals that while 57 percent of CEOs hold themselves accountable, and 88 percent of British business has increased annual IT security spending, some 81 percent of large and 60 percent of small business suffered a breach last year.
All of which might seem perfectly fair at face value, but stop to think about those numbers and that attitude for a moment and quickly an argument starts to appear which suggests that British business is losing the plot when it comes to IT security spending. My gander is immediately got at any hint of buck passing, and within the context of threat response it is never, ever the right thing to be doing. Quite apart from the small matter of the maths: if security budgets are going up in synchronicity with the cost of successful attacks against business, then clearly business is spending too much in all the wrong places. SCMagazineUK.com has spent today asking the question 'could British business better balance the security books?'
Let's start with the thorny issue of passing the buck, and whether the government should be doing more to help UK PLC defend against cyber-attack. The report itself made it quite clear where business itself stands, with that 60 percent believing that the government "is performing poorly in educating and protecting UK firms from cyber-attacks." Go granular on that statistic you find that only 10 percent of CTOs think the government is doing enough, and 20 percent of CEOs.
Terry Greer-King, director of cyber-security at Cisco UK&I, told SC that he thinks "the responsibility to mitigate impact of cyber-crime lies with businesses and governments equally" although acknowledging "businesses must do their own due diligence."
Wieland Alge, general manager at Barracuda Networks, thinks that pointing the finger at the UK government is at least partly justified. "Many data security and privacy legislations are out of date" he said "because businesses are waiting for the EU General Data Protection Regulation - and it is the governments that have been delaying it for years, leaving many countries in a limbo state." Of course, Alge also points out that any expectation that the GDPR will establish security is a delusion. "Cyber-theft is a global business and can neither be stopped by the Basingstoke city council nor the UK government."
Ian Glover, president of CREST, thinks the government should be responsible for "pump priming initiatives and helping to set standards" which are suitable for the private sector as well as government. Glover told SC that what the government should be doing is working "to ensure that there is a flow of good people available to enter the sector. They may have started late but there is a programme of work from the new IT GCSE's through higher apprenticeships, support for universities and support for career tools such as the new www.inspiredcareers.org and professional development activities."