The impact of data breaches has been felt far and wide in 2014. This year alone saw Sony, JP Morgan Chase, European Central Bank and eBay fall victim to an attack. Large or small, every firm is faced with challenges around cyber security and how to protect its critical data. The increased dependency on technology, combined with the evolving complexity of cyber security threats, continues to increase our vulnerability at a national, organisational and individual level.
In fact, our recent Risk:Value report, which was designed to assess the level of risk within organisations and the value that senior executives place on data security, found that 56% of businesses in the UK expect to suffer a security breach at some point. Yet, the same research revealed that less than half of all critical data is completely secure.
Whilst we know that a data breach is seen as bad for business, the attitudes to ownership and responsibility are mixed. Nearly half of UK business decision makers depend upon their IT security team to allow them to use and access work-related data safely whatever device they are using, but 34% see it as a joint responsibility between themselves and the security team. It’s clear that organisational culture needs to change, because security is everyone’s problem and everyone’s responsibility.
Incidents will no doubt rise and become more sophisticated and, left unchecked, threats will become harder to detect. In 2015, we will see momentum towards a collective responsibility for data security, and risk management will eventually earn a permanent place on the boardroom agenda. After all, security should be viewed as a shared responsibility that reaches well beyond the traditional view of it residing in a single department.
The IT skills shortage
The challenge of security and risk management will further be compounded by the global skills gap. It’s no longer possible for many companies to tackle the growing problem in-house and it’s because there is an increasing lack of people with the right IT security skills, experience and availability to address this issue.
Evidence shows there is an ongoing recruitment challenge in the discipline of cyber security, and training and development challenges are often to blame. According to the ISACA 2014 APT Survey, 62% of organisations have not increased security training in 2014 but, on the other hand, the cost of breaches is thought to have doubled last year in the UK alone.
In addition, the Risk:Value report showed that 82% respondents understand the importance of their data yet levels of knowledge about that data, and the extent to which they are willing to commit IT budget to securing it, varies widely among senior business decision makers. Furthermore, almost a fifth think there would be no significant impact on their revenue in the event of a breach, while 28% admit they do not know what the financial implications would be.
The findings suggest that more focus could be given to prioritise resources to optimise IT security and risk management, yet we are seeing a widening gap in the number of IT security experts needed to manage the growing number of threats. Simply put, there are too many threats and not enough professionals in the industry.
The managed services solution
Whatever the reasons are for the skills shortage, businesses are faced with a growing volume of cyber attacks – and the consequences can be significant. There was a 48% year-on-year increase in the number of detected incidents in 2014, according to PwC, and the total financial losses attributed to security compromises increased by 34%.
Security and risk management are clearly important areas for any organisation but, with fewer skilled professionals, some organisations will struggle to do anything beyond keeping the lights on. The threat landscape will continually change, which means every company must consider its current risk exposure in the context of its commercial objectives.
More and more firms will therefore look towards trusted advisors to provide expertise in a collaborative way that meets their business objectives. As a result, managed and professional security services will play an increasingly prominent role across the whole organisation in 2015.
Hiring help from a third party provider enables the business to benefit from an independent assessment to help them understand its risk exposure, consider best practice, prioritise activities and articulate these at all levels of the business. It also addresses the issue around IT skills shortages. These partners take away the problem of there not being enough resource – they know how and where to find the right experts, invest in training and improving professional qualifications as well as make these experts available around the clock.
It’s worth noting, though, that businesses should take caution when thinking of working with a managed and professional security services provider. Not all are the same. Find one that is prepared to work within the business model and strategic aims – not to their own agenda. It’s about getting access to their collective global knowledge and systems, and highly experienced people. This will give the active threat management required to help mitigate risk at a time when the IT skills gap faced by businesses will be hard to fill in the foreseeable future.
By Stuart Reed, Global Product Marketing Director, NTT Com Security