IT security climbs threat pecking order

Poor information security now seen as single biggest threat by business decision makers, according to NTT Com Security research

Information security has leapt up the agenda when it comes to what businesses see as their biggest threat, according to NTT Com Security.

Some 18 per cent of senior business decision makers now see poor IT security as the single biggest risk to their business, compared with just nine per cent in 2014, according to the security integrator's research.

NTT Com Security's 2016 Risk:Value Report quizzed executives at 1,000 firms in the US and Europe, including 200 in the UK.

NTT Com Security product marketing lead Stuart Reed told CRN the research indicated firms are taking IT security more seriously in the wake of last year's headline-grabbing data breaches, including Ashley Madison.

"The biggest thing to come out of this seems to be the shift in attitude in awareness regarding risk management," Reed said.

"Partly, this might be fuelled by some of the high-profile breaches that underline the importance of a robust policies-and-procedures approach within an organisation. Nearly 20 per cent of people now view information security as the single greatest risk to their organisation. And from our perspective, it is really encouraging to see the majority of UK businesses now have or are working on an IT security policy."

Competitors stealing market share was also cited by 18 per cent of those quizzed, but no other threat rated higher.

Insurance uptake

According to the research, 35 per cent of firms now have a dedicated cybersecurity insurance policy, with another 27 per cent actively working on getting one.

However, half of those whose company has purchased cyber insurance said they believed a lack of compliance with the necessary security criteria could invalidate their policy. And 43 per cent said they thought the absence of an incident response plan could void it.

Garry Sidaway, global director of security strategy at NTT Com Security, said cyber insurance is surfacing increasingly in customer conversations.

"NTT Com Security is working with clients and insurance providers to define the framework of controls that can be measured, so insurance companies can define the risk effectively," he said. "At present it is not clear what is and is not covered and hence for an insurer it is difficult to define a premium. From a client perspective, being able to prove and demonstrate the appropriate controls is also essential."

Prevention better than cure

The research also concluded that companies are reacting impulsively after the fact, rather than responding thoughtfully to a threat well in advance, Reed added.

A quarter of survey respondents said they were certain they would be a victim of a cybersecurity incident, with another 40 per cent saying they were pretty sure they would be hit. On average, a breach would cost companies just short of $1m (£0.69m), the research found.

But remediation budgets for dealing with a breach tend to be heavily weighted towards dealing with the consequences, rather than the cause, NTT Com Security added. The top two costs respondents expect to spend money on after a breach are legal fees and compensating customers for data loss (19 per cent and 18 per cent respectively), with fines and compliance costs coming next on 15 per cent. The actual costs of cleaning up and securing the company's systems and data in the form of third-party remediation services makes up just 15 per cent of the anticipated breach recovery cost, the research found.

"Prevention is still better than cure," Reed said.

"While it is prudent to have a contingency plan in place should the worst happen, the focus shouldn't purely be a reactive stance to risk management."