TechBeat: Security — risk and cybercrime
“Awareness has clearly grown over the last year, but the real question is: what is the other 15% doing? By not making changes or improvements to IT security these businesses are failing to recognise the need to change or improve and in the current threat landscape this is asking for trouble.
“Cybercriminals change their tactics all the time — this means that IT security needs to change. What you have in place this year, even if fully fit for purpose, won’t be adequate next year — changes and improvements are constantly needed.”
When asked how confident they were in their information security, more than three quarters (77%) said reasonably, while one in 10 said absolutely confident and 13% said not at all.
This perhaps shows the cautious optimism that has characterised the sector for some time. Most realise they are doing the basics and getting close to best practice, but cognisant of the fact that a determined hacker will get in eventually. The 10% who are absolutely confident may be somewhat misguided.
The survey asked what was the chief concern in relation to cyberattacks. The chief concern by some margin (41%) was brand and reputational loss, followed by data loss (33%). Coming in some way behind were financial loss (11%) and downtime (10%). In low single figures were personal reputational loss (3%), job loss (1%) and reprehension by superiors (1%).
Clearly, Irish IT pros are not too fearful of losing their jobs over a cyberattack, or a dressing down from superiors, but the recognition of the potential for brand and organisation reputation loss is well understood.
“This is a surprising statistic,” Keating admits, “and suggests that there is a lack of understanding of the risks and solutions at board level. The fact that practically no one is worried about losing their job suggests there’s no worry factor for IT people — that it’s not their fault if something goes wrong.”
“Now, contrast this with the US where on Wall Street for example, where if something goes wrong the first move traditionally has been to fire the IT director. This is perceived as not being the case here.”
“However, it’s an unfounded lack of fear — across any of the big hacks that happen, make no mistake about it, IT people do lose their jobs. Brand and reputation damage is a huge worry as not all businesses can survive it in the event of a major breach. Customer trust and loyalty can be broken, and this is incredibly difficult to bounce back from.”
To tackle these issues, the survey asked about information security budgets for 2016, with 42% expecting no increase over the previous year, but just 2% expecting a decrease. One in five expected up to a 10% increase, 14% expected an 11-25% increase, while a significant 13% expected 25% plus. A further 10% expected a more than 50% increase.
While Keating acknowledges that IT spending tends to go in cycles, he argues that the smart money in the area is moving from a capital expenditure (CapEx) to an operational expenditure (OpEx) model.
“If you have a good security solution now then the majority of what you’re spending going forward should be updates. Get a suitable platform and benefit from updates and support. It’s worth noting that support and updates are splitting out for each other — they used to be under the same banner.”
“Increases in spending do come from this,” Keating acknowledges, “once you’re in a OpEx model, there are less peaks and troughs. It can be hard for IT staff to get this message understood at board level. The 20% of respondents who would expect to grow between 0-10% — that’s the sweet spot. It suggests reasonable and measurable growth in IT security spend that companies can plan for easily.”
Respondents were asked if they had an information security strategy document for at least the next 12 months to guide this spending. Nearly half (48%) did not, with slightly less (46%) saying they did, and just 6% saying they did not know.
Keating is sanguine on this point.
“Everyone would like to have a 12-month plan, but it is the sort of thing that gets put on the long finger as other priorities surface. Broadly speaking, a yearly document where you set out goals for what you’d like to implement is a good idea. It can’t be concrete as priorities may change during the year. It can act as a to-do list and a base to return to when considering future development.”