By now, it should be clear to business leaders that cyber-security is a business problem, not solely an IT problem. UK businesses reported losses of nearly £11 billion in 2016, according to figures released by Get Safe Online and the UK's national fraud and cyber-crime reporting centre Action Fraud. Cyber-crime is projected by Cybersecurity Ventures to cost the world in excess of US$ 6 trillion (£4.31 trillion) annually by 2021. Despite a series of high profile cyber-attacks, from the Yahoo hack to the WannaCry breach, IT professionals believe that organisation focus is far away from cyber-security until a breach happens. They allege that the strategy is frequently too focused on post-breach containment, rather than proactive prevention.
In a more positive light however, there is hope that recent high-profile hacks and breaches can serve as a wakeup call to businesses currently avoiding making committed security investments. The research noted that most cyber-security investment is driven by highly-publicised attacks – at present 93 percent of boards only take action when things go wrong, but high-profile cyber-attacks like Wannacry and NotPetya ensure that the problem cannot be ignored.
In the last year, two-thirds of businesses have stated a desire to review or increase their security budget. To underline this, 71 percent of IT departments say they have increased their cyber-security budget from the previous year. Publicised breaches offer case studies in failed security protocols. A lack of planning, or employee education, gives businesses insight into what they should be doing to avoid a similar fate and ensures that the issue remains in the front of decision makers' minds.
Being proactive about strengthening security protocols is a long-term project, which requires consistent engagement with the issue, not just a reaction to a crisis that has already occurred. Prevention is preferable to containment. This requires employee education, total visibility of a business's network, and looking to technology to automate, predict, and adapt to threats.
Prevention is easier when all employees in the business, not just the IT department, take responsibility for the security of the business. For example, breaches like the Bupa or Waymo hacks have raised the appreciation of the number of breaches that occur because employees are targeted. In response, 67 percent of businesses say they are planning IT security and awareness training for employees in 2018.
Contributed by Shane Grennan, regional director UK&I, Fortinet
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.