While traditional cyber threats remain, businesses are being hit increasingly by intellectual property theft, according to Rhodri Davies, security service development manager at HP Enterprise Security Services.
This is driving increased interest in the ability to record what is going on in their IT environments, to understand what that means, and to be able to respond to it, he said.
But many organisations also need to focus on getting the basics right, and to do them consistently, because known vulnerabilities are still being widely exploited, said Davies.
"Cyber criminals will continue to use existing attack techniques as long as they are working," he said.
Risk is another area that is in need of attention in many organisations, according to Davies. While smaller organisations tend to focus on operational security only, even where there is some attention paid to information risk, it is seldom tied in well with security operations, he said.
"The main problem is that risk is hard to quantify; also it is often difficult agree on a common metric because risk often means different things to different people or groups," said Davies.
In addition to getting the basics right, many organisations need to work on understanding risk to guide investments in information security, he said.
Davies suggested a good starting point in assessing security investment priorities is to assume that current defences are not perfect.
"Experience suggests this is true, so organisations should ensure they are aware of what is going on and they are prepared to respond," he said.