Security is vital to public and private sectors alike, and the government has already highlighted skills shortages in the area. It’s therefore a source of some reassurance that according to Hiscox’ Cyber-Readiness Report (PDF of the whole thing here) spending and personnel are on the increase to combat any crime arising.
The headline findings of the report are relatively easy to guess but no worse for that. Recovering from a data breach takes more time than many people would have hoped. Smaller firms are hardest hit as they have the smallest resource with which to recover. Security spending is going up and the insurance industry is going to do very nicely out of it, thanks.
Numerous companies are novices in the cyber security arena and a third haven’t actually done anything about it, the report continues.
A number of commentators have offered their views.
You’ve done nothing at all about security?
Rob Norris, VP head of enterprise and cyber security EMEIA at Fujitsu, was concerned primarily by the number of companies that had done literally nothing to protect themselves. ” It’s crystal clear that many businesses, and consumers, are still failing to see the reality of the situation we are now facing,” he said.
He was also concerned about compliance. “Organisations should focus on the integration of threat intelligence and other information sources to provide the context necessary to deal with today’s advanced cyber criminals. There must also be a clear and well-rehearsed crisis management plan for a breach, addressing internal and external communication. With the new EU GDPR legislation coming into effect next year, it’s vital for organisations to take a proactive approach when it comes to cyber security. Ensuring a compliant business environment, that will help protect the company and its employees, needs to be the number one priority.”
Darren Anstee, Chief Security Technologist at Arbor Networks, welcomed the extra expenditure with qualification. “While this is not a good thing in and of itself, we are seeing increasing proportion of organisations factoring cyber threats into their business and IT risk assessment processes, which should lead to the right investments being made in defensive solutions and services.’
“A better understanding of the impact an attack can have is driving firms toward best-practice, and our latest research shows better detection / mitigation capabilities, faster response times and improved overall effectiveness. That said, this is an iterative process as attackers aren’t staying still. With the adoption of different technologies, such as cloud, NFV etc., new or expanded threat surfaces emerge and have to be addressed.”
Money can’t buy me…security
However, John Madelin, CEO at RelianceACSN, was not so sanguine. “While it’s nice to see companies taking cyber security seriously, throwing money at software won’t solve the problem,” he said. “Companies already spend huge amounts on security tools, with the average firm deploying 75 different cyber defence systems to police their networks. The problem is that these tools often operate in silos, creating a sort of patchwork quilt that still leaves companies exposed.
“What’s needed is an integrated, end-to-end approach to security, that focuses on protecting a company’s most critical data, IP and assets. Cyber security can’t just fall under the remit of one department – everybody that has access to the network must be properly trained. Investing in staffing is smart, but with a severe skills gap in cybersecurity finding the right staff may prove tricky.”