IT decision makers won't invest in security, despite breaches

A survey conducted by training company QA, reveals that eight out of ten (81 per cent) UK IT decision makers experienced some sort of data or cyber security breach in their organisation in 2015. Sixty-six per cent said that the breach had led to a loss of data, 45 per cent said that it had resulted in a loss of revenue, and 42 per cent said that it had resulted in a PR nightmare for the business. Despite this, however, less than a third (27 per cent) plan to invest in cyber security technologies next year.

It would also appear that not all organisations have learnt from their experience, with less than half (43 per cent) of IT decision makers saying that the breach had not resulted in a change of policy and procedure. Perhaps it’s not surprising that 40 per cent said they didn’t feel confident they had the right balance of cyber security skills in their organisation to protect it from threats in 2016.

The Biggest Threats to Corporate Security in 2016

  1. Organised/automated cyber-attack (54 per cent)
  2. Compromise through employees e.g. social engineering (11 per cent)
  3. Lack of encrypted data (10 per cent)
  4. Employee negligence e.g. lost laptops or other mobile devices (8 per cent)
  5. Not having or enforcing security policies and procedures (6 per cent)

Human error is the second largest concern (19 per cent) for IT decision makers, with both ‘compromise through employees’ and ‘employee negligence’ both featuring in the top five threats.

When asked about key areas for investment to protect the organisation from cyber threats in 2016, over two thirds (70 per cent) of IT decision makers said they plan to invest in hiring qualified cyber security professionals in the coming year. Seventy-eight per cent said that they also expected budgets for hiring to increase next year. However, hiring isn’t a quick and easy solution.

Over eight out of ten (84 per cent) respondents said that it took on average up to three months to fill a cyber security skilled role on their team. To help address this, 45 per cent say they plan to invest in further training for existing cyber security staff and 34 per cent of IT decision makers said they planned to cross-skill/train other IT staff in cyber security specialisms.

When asked which organisations they would go to for advice on increasing capabilities around cyber security, the findings show respondents would predominantly turn to the IT sector. An overwhelming 92 per cent said they would turn to their IT/technology services partner and almost half (45 per cent) would seek advice from IT vendors.

Top 10 places for advice on increasing capabilities around cyber security:

  1. IT/technology services partner (92 per cent)
  2. IT vendors (45 per cent)
  3. Security consultant/consultancy (25 per cent)
  4. Government bodies (20 per cent)
  5. Training organisations (17 per cent)
  6. The Information Commissioner (ICO) (16 per cent)
  7. Accrediting body (14 per cent)
  8. Peers (14 per cent)
  9. Trade & Industry associations (14 per cent)
  10. Colleagues (9 per cent)

A large majority of high profile breaches, comprise a mix of technological know-how and human error.