According to BT research, the UK is trailing in cyber security awareness rankings. In fact, less than 20% of UK business leaders see cyber security as a “major priority” the study commissioned by telecoms giant BT showed. It surveyed 500 IT decision makers in medium and large businesses in finance, pharmaceutical, retail and government sectors in seven countries.
Out of the seven countries including the US, UK, Brazil, Germany, France, Singapore and Hong Kong, the UK has the lowest percentage of respondents that believe their CEOs prioritise cyber security with only 17%. This is in stark contrast to the 41% of American IT decision makers who think that their organisations’ CEOs consider cyber security a priority.
On average across the seven countries, 58% of the IT decision makers thought cyber security importance was being underestimated in the boardroom.
Mike Small, member of the ISACA UK Security Advisory Group, thinks that this is a matter of poor communication: “The security industry makes a great deal of the arcane details of the technical threats, but does a poor job of presenting the risk and the cost of poor information security to the business. You need to illustrate the problem with the real costs involved to organisations to make information security a business priority.”
The study also revealed a disconnect in attitudes between US and UK IT decision makers towards “non-malicious insider threats”, such as accidental loss of data by an employee, with 85% of IT decision makers in the US viewing the risk as ‘severe’ and only 60% their UK equivalents feeling the same.
UK respondents were also generally less concerned than those from the US about the threat of ‘hacktivism’, or politically motivated hacking, organised crime, terrorism and attacks from nation states, the BT research found. Generally, in all other countries besides the UK, more than half of the IT decision makers felt that the risk of hacktivism and malicious insiders would grow over the year. But in the UK, around 30% thought that the risk of hacktivism would grow and only 25% said that malicious insider threat would increase.
A large proportion of IT decision makers (74%) said they wanted to train all staff in their organisations in cyber security best practice.
Amar Singh, also a member of the ISACA UK Security Advisory Group pointed out that this is an area HR could help with when dealing with employees, especially non-malicious insiders.
“HR in the UK tends to be extremely cautious when it comes to embracing and then enforcing information security. HR needs to embrace the CISO and the information security function and understand its importance to an organisation’s overall ability to do business in the cyber century,” he said.
“The CISO or equivalent role has not yet gained a firm footing in the board in many organisations, and too often has never even spoken to the CEO. Often pigeon-holed in IT, the CISO is often called upon only once things go wrong–and by then it’s too late.”
Commenting on his company’s research, Mark Hughes, chief executive of BT Security said. “The massive expansion of employee-owned devices, cloud computing and extranets, have multiplied the risk of abuse and attack, leaving organisations exposed to a myriad of internal and external threats – malicious and accidental.
“The risks to business are moving too fast for a purely reactive security approach to be successful. Nor should cyber security be seen as an issue for the IT department alone,” he concluded.