In our last blog we left you with us at InfoSecurity Europe 2014, taking in the findings of the Cyber Security Breaches Survey 2014, commissioned by the UK's Department for Business Innovation and Skills and conducted by PricewaterhouseCoopers (PwC).
The launch address by David Willets, MP, Minister of State for Universities and Science, reflected the concerns of the industry with trust, and worries that unless online companies did more to engage the trust of their users, the event's much-quoted theme–‘Information Security as Business Enabler'–was likely to fall short of its aim.
As Willets declared, the internet accounts for eight percent of UK GDP, so in order to maintain public confidence in doing business online, the government had set up a National Cybersecurity Strategy, investing £860m of public money over the next five years. This included The Cyber Essentials Scheme, aimed at helping businesses in the private sector to stay safe online, and the ‘10 Steps to Cybercrime Security' guide, which the Cyber Security Breaches Survey found was used by 26 percent of respondents.
Awareness among management is certainly improving. Last year respondents identified that 12 percent of the worst security breaches had been caused by senior management giving insufficient priority to security. This year, that figure was down to seven percent, with 79 percent of respondents reporting that their senior management placed a high or very high priority on security. At the same time, investment in security has also risen, with large organisations now spending on average 11 percent of their IT budget on security (up from 10 percent in 2013), and small businesses spending a record average level of 15 percent (from 12 percent in 2013).
Willets took two of the questions after the address highlighted important issues. One of the questions concerned PwC's recent Banking Banana Skins 2014 report. The top five risks for 2014 were presented as 1. Regulation, 2. Political interference, 3. The macro-economic environment, 4. Technology risk, and 5. Profitability.
Technology risk had risen from 18th position on the 2010 list, because of growing concerns about the vulnerability of outdated systems to cybercrime and outages, and the low priority assigned to this risk by management. In his reply Willets did acknowledge that formerly information security had been a matter left to the technical experts, and not raised at board level, but he was encouraged by the increase in the percentage of management that prioritized security, and also in the proportion of respondents that used the ‘10 Steps' guide (26 percent).
Another question Willets took covered detectability. Rather than a decline in breaches, was it not more the case that perpetrators were simply better at covering their tracks? Perhaps it wasn't the number of breaches that was decreasing, merely our ability to detect them? As the spokesman from PwC confirmed, it was estimated that 70 percent of breaches never make it outside the company, so what makes the headlines represent just 30 percent of what actually happens.
The survey only dealt with breaches that had been detected and that companies were prepared to disclose to PwC. The real extent of the issue would have to be inferred from the trends as revealed in the report.
In my next two blogs we'll be having a look at some of the messages from the larger exhibitors on the show floor, and also reporting on the Keynote Presentation from the Engineering Manager of Google talking about how they secure and protect user information online.