Is cyber security becoming a cost of doing business - to the detriment of our data?

Computer Weekly writes a lot about cyber security – it’s the easily most popular topic among our readers, and always rates as one of the top priorities in our annual survey of IT professionals. None of that will come as a surprise.

But some weeks certain stories come together to bring an insight into the challenges facing organisations in this area.

A global survey published this week showed two-thirds of 1,300 senior executives interviewed ranked cyber security among their organisations’ top five risk management priorities – approximately double the response to a similar question in 2016.

However, only 19% of respondents said they are highly confident in their organisation’s ability to mitigate and respond to a cyber event, while only 30% said they have developed a plan to respond to attacks.

Consider those findings against a separate survey, that showed the cost of cyber crime is now up to 0.8% of the global economy or $600bn a year – up from 0.7% in 2014, an average rise of 11.3% a year. Note also that Europe suffers the highest economic impact of cyber crime, estimated at 0.84% of regional GDP, compared with 0.78% in North America.

Business executives clearly recognise the importance of cyber security – and are feeling it financially – but have neither the confidence nor the plans to tackle the problem.

Look also to the public sector, where a survey of 500 people in the UK found that 49% were “wary” of sharing their information on public sector websites.

Meanwhile, an investigation by privacy campaigners Big Brother Watch showed that local authorities are being hit by an average of 19.5 million cyber attacks a year. That equates to 37 attacks or attempted breaches every minute on councils that are accumulating growing amounts of sensitive and personal information about citizens.

The report revealed an “overwhelming failure” by councils to report losses and breaches of data, as well as shortcomings in staff training.  Over the last five years, 114 councils suffered at least one breach and 25 had a loss of data, but more than half of those incidents went unreported.

Can you blame citizens for being worried about how their personal data is being handled?

Add one further survey to the mix – 70% of organisations said they need cyber security skills, but only 43% said they already had such skills in place.

It’s reassuring to see the growing awareness of IT security risks – among executives and the public. But the gap between understanding and capability is not shrinking in response – in many cases, it’s growing.

Organisations need to turn awareness into action, otherwise the cost of cyber attacks will become a recurring and accepted cost of simply doing business – and it’s the privacy of our personal data that will suffer as a result.

Content Continues Below

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

This is a good, thoughtful piece ... but awareness is already turning into customer resistance ... and costing the IT industry where it hurts. More positively One of the driving forces behind local support for the Plymouth Cybersecurity Skills Partnership ( ) is that the local police and crime commissioner has put addressing fraud against the elderly as one of his top priorities. I need to make time to blog on the second review and plans to extend the partnership.

But things are beginning to change.

It is 18 months since I blogged ( )  that Cybercrime was costing the UK more than our membership of the EU

Law Enforcement is beginning to become more pro-active with initiatives like the Global Cybersecurity Alliance (City of London Police and New York District Attorney's Office).

GCHQ is now involved (via the NCSC and NCA) in tracking and tracing on-line criminals. The first time this was publicly acknowledged was when several NHS Hospitals became "collateral damage" when a "proof of concept" test (Wannacry) got out of control. Its contribution to unravelling the security of pederast networks also appears to have been central to the recent conviction of on-line pederast Matthew Falder.

One of the reasons I have not blogged much recently is the time I have been spending putting players together on partnerships to take practical action on the cyber security skills shortage that cripple effective defence.

But defence is not enough.

The attacks will only peter out when major victims put 10% of their security budgets into co-operation with law enforcement to use blended mixes of civil and criminal law (aided by GCHQ and its partners) to take action along the cyber-crime supply chains to "take out" those benefitting from the proceeds of crime.

Ongoing co-operation with France, Germany and some (but not all) EU member states  in this space (which happens to NOT be an EU Competence) should form a key part of our Brexit negotiations.