EU security spend falls short
European IT security investment is alarmingly low, says a European Commission report.
Information commissioner Viviane Reding says businesses and public sector organisations are underestimating the risks of insufficiently protecting networks.
Only five to 13% of corporate IT budgets go on security and this is worryingly low, she says. “The nature of the threat is changing and so must our response,” she said.
“In the past, hackers were motivated by a desire to show off, whereas today many threats come from criminal activities and are motivated by profit.”
The comments coincide with the Commission’s release last week of its report Strategy for a Secure Information Society.
To make Europe the leading information society by 2010 it says three areas must be addressed: specific network and information security measures, the regulatory framework for electronic communications, and protection against cyber crime.
The Commission will work with governments to benchmark national policies on network and information security, identify best practice and educate users.
The European Network Information Security Agency (Enisa) will assist by building an infrastructure to handle security incidents and alert member states.
Last week Enisa also released a report outlining its long-term security action plan.
Simon Perry, co-editor of the report and member of Enisa’s Permanent Stakeholders Group, said greater co-operation is needed between European Union member states to share information on IT security threats.
“The public sector should be leading the private sector in setting standards, but in member states and government agencies it is rare to find a department doing security well,” said Perry, also vice president of security strategy at CA.
Certain new EU member states need to do more to improve national information security, but greater levels of protection could lead to inward investment by industry, he said.
“There will be a bit of carrot and stick. Countries won’t get investment from the private sector if the infrastructure and security isn’t there,” said Perry.