Has UK business lost the plot on security spending?

News by Davey Winder

New research from think-tank the Centre for Economics and Business Research (CEBR) suggests that the true cost of cyber-crime to business in the UK is as high as £34 billion per year.

That total can be divided roughly in half, with £18 billion falling to lost revenue following successful attacks and £16 billion in the increased amount required to secure business against the ongoing threat. Shocking enough headline figures, but the real shocker can be found in the detail such as: 70 percent of Chief Technology Officers (CTOs) think their internal security policies block innovation to some extent, and 60 percent that the government should be doing more to help them.

‘The business and economic consequences of inadequate cyber-security' report reveals that while 57 percent of CEOs hold themselves accountable, and 88 percent of British business has increased annual IT security spending, some 81 percent of large and 60 percent of small business suffered a breach last year.

All of which might seem perfectly fair at face value, but stop to think about those numbers and that attitude for a moment and quickly an argument starts to appear which suggests that British business is losing the plot when it comes to IT security spending. My gander is immediately got at any hint of buck passing, and within the context of threat response it is never, ever the right thing to be doing. Quite apart from the small matter of the maths: if security budgets are going up in synchronicity with the cost of successful attacks against business, then clearly business is spending too much in all the wrong places. SCMagazineUK.com has spent today asking the question 'could British business better balance the security books?'

Let's start with the thorny issue of passing the buck, and whether the government should be doing more to help UK PLC defend against cyber-attack. The report itself made it quite clear where business itself stands, with that 60 percent believing that the government "is performing poorly in educating and protecting UK firms from cyber-attacks." Go granular on that statistic you find that only 10 percent of CTOs think the government is doing enough, and 20 percent of CEOs.

Terry Greer-King, director of cyber-security at Cisco UK&I, told SC that he thinks "the responsibility to mitigate impact of cyber-crime lies with businesses and governments equally" although acknowledging "businesses must do their own due diligence."

Wieland Alge, general manager at Barracuda Networks, thinks that pointing the finger at the UK government is at least partly justified. "Many data security and privacy legislations are out of date" he said "because businesses are waiting for the EU General Data Protection Regulation - and it is the governments that have been delaying it for years, leaving many countries in a limbo state." Of course, Alge also points out that any expectation that the GDPR will establish security is a delusion. "Cyber-theft is a global business and can neither be stopped by the Basingstoke city council nor the UK government."

Ian Glover, president of CREST, thinks the government should be responsible for "pump priming initiatives and helping to set standards" which are suitable for the private sector as well as government. Glover told SC that what the government should be doing is working "to ensure that there is a flow of good people available to enter the sector. They may have started late but there is a programme of work from the new IT GCSE's through higher apprenticeships, support for universities and support for career tools such as the new www.inspiredcareers.org and professional development activities."

Chris McIntosh, CEO of ViaSat UK and a former Lieutenant Colonel in the Royal Signals, however thinks that enterprises asking the government to reduce cyber-attacks should be careful what they wish for. "Ultimately if the Government wishes to protect the population against cyber-attack it will impose harsher rules on enterprises" he told us, continuing "compulsory encryption of all data and mandatory reporting of every potential breach would go a long way towards making the UK a safer place: yet enterprises who have to invest in technology, as well as facing the potential of fines for non-compliance, might not see it the same way."

Eldar Tuvey, CEO of Wandera, sums it up nicely when he told us that charity begins at home: "Effective security begins in the IT department" he says, adding "you can't rely on governments to solve the problem - they are having a hard enough time securing themselves, as recent reports of hacks to the US Government's Office of Personnel Management  (OPM) show."

OK, so if government is not the answer do increased security budgets with poor results suggest that business is spending on the wrong kind of protection, especially if the security policy also stifles business growth? Rob Lay, enterprise and cyber-security solutions architect in UK and Ireland at Fujitsu is in no doubt that when it comes to spending, security is still seen very much as an IT and technology issue which results "in a knee jerk response to incidents that leads to the purchase of significant amounts of technology." Information security should be seen as a business issue, he told us, "by targeting their most critical assets first, they can rapidly reduce their risk while ensuring that, through the use of the risk based approach, the investments and improvements are appropriate to the level of risk they face." This was a viewpoint that is shared by Cisco's Greer-King who told SCMagazineUK.com that "conversations about security need to be taken back into the boardroom. Executives and employees alike must prioritise security by adopting a holistic approach that embeds security across all business processes."

Matt White, senior manager at KPMG's cyber-security team, has seen and heard it all before. "We frequently see businesses reacting to issues seen in their peers by implementing new pieces of technology" White told us "but these point solutions are only a piece of the security puzzle." Only once you know where you are, and have been, can you plan the security journey forward effectively. "It's this strategic element that is often missing from the ways companies spend their security budgets" White concludes.

We heard the same kind of message time and time again today while talking to people across a wide swathe of business: "There's definitely no correlation between spend and the effectiveness of security" James Henry, consulting practice manager at Auriga said. "Spending more money doing the same things and expecting a different result is not logical", chipped in Mike Smart, security strategist for Proofpoint.

“Businesses are buying every security product in sight to try and reduce their risk - however, high spending does not necessarily equate to good security" Thomas Fischer, principal threat researcher at Digital Guardian told us.

So what is the answer for UK PLC? Has it lost the plot on security spending? Charles Sweeney, CEO at Bloxx, doesn't think so, more that "their heads are being turned in so many different directions that unravelling the security problem is only ever going to become more complex."

This is where the notion that business has to take a more pragmatic approach to security comes in.  Bharat Mistry, cyber-security consultant at Trend Micro says "it is too expensive to blankly deploy expensive security technology across the infrastructure – and something the board will not sign-off." Sam Hutton, CTO at Glasswall Solutions is in no doubt that moving away from reactive security spending is the answer: "We have wasted excessive energy and resources second guessing the bad guys" he told SC . "We've failed and it's time to change our approach. Rather than reactive defence, let's build policies and controls that focus on known good to reduce risk and save money."

We'll leave the last word to Fraser Kyne, principal systems engineer at Bromium, who told us that he thinks we need to confront the uncomfortable truth that "the IT security industry has failed to deliver meaningful solutions" and instead continues to feed itself by providing band-aids that attempt to alleviate the symptoms of the conditions rather than tacking the root causes.

"Einstein defined insanity as doing the same thing over and over again and expecting different results" he points out.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews