According to PwC’s annual Global State of Information Security Survey, UK businesses are spending an average £6.2m every year on IT security (up from £3m in 2015). Richard Alexander, CTO for Logicalis UK, digs deeper.
In many cases IT security spend is burning a cavernous hole in company balance sheets – without necessarily giving businesses much to show for it. In spite of this increased security spending, the cost of security incidents continues to rise. Firms are haemorrhaging an average £2.6m a year – up from £1.7m last year. In parallel, the number of cyber-attacks targeting UK companies has increased by 23% over 12 months, with phishing still the most common threat vector.
There’s no doubt that the rise of digital technologies has ushered in an age of tremendous opportunity – but it has also brought heightened risk. While businesses are striving to achieve more agility, they’re also leaving themselves exposed to new cyber threats. The combination of IoT, distributed IT and the increased pervasion of apps into the very core of the business – along with an ever-evolving threat landscape - represent a perfect security storm. In short, IT infrastructures are becoming more vulnerable to attack than ever before.
IT Security ‘well-baked’
In an environment in which businesses face threats from all directions, a company’s best line of defence is – metaphorically - the kitchen sink. To work, modern security strategies need to be ‘baked’ into an organisation’s infrastructure and services: security-as-a-topping will only go so far. It then needs to hold all the different constituent ingredients together.
Lend Lease Building Corporation (LLBC) is a good example of a company making security a core component of its operations. LLBC wanted to set a benchmark for clinical information access, providing staff, at the newly built Box Hill Hospital, with a virtualised and transportable computing environment. Rather than exposing itself to undue risks by opening patient data to roaming clinicians, it commissioned a Logicalis subsidiary company to build, manage and deliver the necessary devices – crucially, it specified that cutting edge information security should be designed into the device from the ground up.
It recognised that to be effective, security should be considered end-to-end, from the business requirements and design stages, right through to implementation and operation. Defence in depth is the only option.
Unfortunately, this thinking isn’t always universally employed in the business world. Returning to PWC’s research, only between a quarter and a third of UK companies have involved the board in setting security budgets and creating a security strategy.
Bitter pill to swallow
Why does this matter? Because a company’s defence will make or break a company. The Information Commissioner's Office (ICO) has now fined TalkTalk a record £400,000 for failings that led to the theft of the personal data relating to nearly 157,000 customers last October. This is on top of far deeper wounds inflicted upon the company. In May, TalkTalk revealed that the attack had cost the firm £42m and led to an exodus of 101,000 subscribers. While TalkTalk was the unwitting victim, it was punished for not doing more to safeguard customer information. And this is before the ICO are able to use the General Data Protection Regulation (GDPR) and associated fines to further impact the bottom line of organisations that are deemed negligent around securing personal data.
CIOs have an awful lot on their plates but I would argue the single most significant and pressing challenge for CIOs today is security. And that means security can never be a set-and-forget solution. To stay on top of an ever-evolving threat landscape and protect sensitive data, companies must constantly monitor and learn. This means, for instance, following every threat across the entire attack continuum - from before and during the attack, to its aftermath.
It is paramount that Executives are aware of the risks our digital age poses to their organisations. It is our job to educate organisations about the constant evolution of threat vectors and the threat landscape, and to help bring the right mix of technologies, people and process to mitigate as much of the risk as is economically viable.
In summary, in the digital age, IT security must be shaped by comprehensive strategies, which marry security intelligence & analytics with user training & awareness.