Information security is increasingly concerned with the way corporate data assets are used, rather than securing the devices that did away with the company perimeter. But as security needs are rapidly transformed, when do enterprises feel that they are getting on top of information security? At what point do personnel start following security policy rules?
And how do large companies set about mitigating the human factor, given today’s mobilisation of company assets in a 24/7 transactional world? As IT managers deploy new security systems to keep pace with evolving threats, is there a commensurate increase in the staff’s awareness of best security practices?
To examine these questions, we surveyed 100 UK enterprises, divided by size into 1000 to 3000-people firms and larger ones with more than 3000 employees.
The good news is that large firms take security extremely seriously. Two thirds (65%) of companies had increased spending since our last study in 2010, and the larger enterprises had increased their security outlay more than smaller ones.
The average information security spend is 7.7% of the overall corporate IT budget, and ranges from 10% or more in some firms to under 5% in others.
Download resources on security
Big firms worry about targeted attacks or malware, but the usual suspects – their employees – cause still greater concern. The top five security threats our survey identified were headed by employee attitude to security protocols (77% of interviewees concerned by this), followed by malware (76%), use of personal Cloud storage (70%), malicious non-commercial attacks (70%) and commercially-driven attacks (60%).
Today’s sharing culture has heightened IT professionals’ usual worries about plugging the leaky bucket of staff’s network activities. The top three threats that enterprises feel least protected against are: employees' attitude toward security protocols – remarkably, only 2% of interviewees are entirely conﬁdent of being protected – and use of personal cloud storage such as Dropbox (10%) and internal threats/attacks (11%).
As a result, identifying and managing security threats properly is a Pandora’s box. UK enterprises that spend more than 10% of an IT budget on security are more concerned than the lowest spenders (less than 5%) about the major threats to the business.
However, increased data security spending does make a difference. We found a correlation between increased expenditure and heightened risk management procedures. Of those enterprises spending 10% or more of the IT budget on information security, almost three out of four did manage to review their security procedures and providers. But, in enterprises where spending is under 5% of overall budget, this figure falls to half.
Perhaps the most encouraging news from the survey is that there are signs that increased enterprise security spending does seem to engender a cultural commitment from employees to better security practices, alongside the financial commitment.
Kevin Withnall is a director at Vanson Bourne