THE BLOG

Corporate Procrastination: IT Security's Biggest Weakness

20/06/2017 12:33 BST | Updated 20/06/2017 12:34 BST

2017-06-19-1497887380-8684065-security2168234_1920.jpg

https://pixabay.com/en/security-secure-technology-safety-2168234/

By now, there's no excuse for ignoring IT security - lack of awareness is no longer a credible defence. Similarly, there's no shortage of places to go for advice, tools and services to protect vital systems, services and data. There's a multi-billion dollar security industry out there providing tried and tested technology, where the best levels of protection usually defeat all but the most determined attack.

But a quick look at media coverage around IT security disasters underlines not only the ongoing risks, but also a sense of urgency for a stronger response from businesses and authorities alike:

". . . as companies count the cost, IT directors are drawing up radical plans to prevent a repeat."

"So what do we, and what should we expect the UK Government to do about computer security?"

"Unless we come up with some better protection than at present for the virus threat, our systems could be facing a major catastrophe in the near future."

The thing is - these are concerns and opinions as they were expressed in the media 17 years ago in the aftermath of the damage caused by the 'Love Bug' computer virus.

Yet, this coverage could just as easily have appeared last week. So, what's going on? Is the technology industry fighting a losing battle? Are the products and services just not good enough, or is the challenge more closely related to how many businesses treat IT challenges in general and security in particular - it's just not a big enough priority for them.

We're in this situation despite the fact that security breaches are exceptionally expensive. The 2016 Ponemon Institute 'Cost of Data Breach Study' put the average consolidated cost of a data breach at $4million.

And, according to Dark Reading, 2016 saw over 4,000 data breaches exposing 4.2 billion records. The report goes on to detail that 82,000 cyber incidents (data loss, ransomware, phishing, etc) hit 225 organisations around the world every day. Experts quoted in the report believe that "more than 90% of cyber incidents could have been prevented."

Now, it's difficult to draw detailed conclusions by just looking at these reports, but what they help illustrate is that it's a very big problem costing an enormous amount of money.

As for the capabilities of the security industry - yes, security breaches are numerous, they happen globally and undoubtedly the ones we hear about probably represent a fraction of the real scale of the problem. But even then, the vast majority of organisations are rarely breached and a great many can resist most threats. Even though the volume of IT security incidents continues to rise, it seems clear that organisations determined to protect themselves can do a good job.

That's certainly reflected in the value of the global IT security market, which one study estimates will reach $202bn by 2021.

Procrastination is the thief of time

If we accept that the problem of IT security breaches is well understood, are a very common, hugely expensive problem but can often be prevented, where does that leave us?

Arguably, we are back to a self-imposed mindset that was as well known in the year 2000 as it is today: it's all about priorities.

Is there perhaps a common mindset out there that stops businesses taking security seriously?  Is it because business leaders see security as an investment with no return?  You pay for IT security, but you never get anything back as a result because the ultimate objective is just that nothing bad happens.

Or is it just that the perceived danger isn't tangible enough?  Either way, somehow, the risk/reward element doesn't create enough urgency, so businesses just put it off until later.  Then, they get hit by an attack or breach, and only then do the financial brakes come off and they spend to prevent it happening again.

From the 'Love Bug' virus in 2000 to WannaCry a month ago, corporate procrastination has consumed nearly 20 years as if it never happened. Yet, something as simple as a change in mindset could go a huge way to frustrating the efforts of cyber criminals so we aren't having the very same debate for the next two decades.