Despite the increasing value of data, personal and commercial, the monetary penalties for failing to keep personal data safe, and the potential brand damage from any data breach, IT security remains a dirty word in many UK companies.
Like insurance, many UK businesses still see IT security as a grudge purchase. Business executives struggle with the idea of paying for something they may never need.
“There is a lot of talk about data security and the need for it, but few organisations that are making the right commitments,” says Stewart James, partner at legal firm DLA Piper.
When it comes to new IT projects, he says, the specs are increasingly mentioning security, but when it comes down to it, relatively little attention is given to this area. Commercial concerns tend to take precedence.
Companies that are most successful in ensuring that security technologies are not only implemented, but also used effectively, are those where security is part of the organisational culture, says James.
“Everyone recognises the value of protecting commercial and personal data, but these tend to be companies where data is the core of the business rather than some physical product such as a vehicle telematics and other web-based services,” he says.
Culture is the key, says James. This is borne out by the fact that public sector companies and organisations tend to be better at information security and generally take it more seriously, as do businesses and organisations in the financial sector, where confidentiality and security have real meaning.
“Local government is probably not much better than private sector organisations at information security, but the closer public sector organisations are to the military, the better applied security technologies and practices become,” he says.
In these organisations, information security is enforced. This enforcement is an accepted part of the military culture. In the private sector, however, this culture of enforcement is missing.
Although it will be a long time coming, James says it is from the public and banking sector that the best information security practices, such as demanding greater security and assurances from all suppliers, are likely to grow out into the wider business community.
In the longer term, James believes we may see a dynamic change in the way business is done. We may get to the point where commercial enterprises accept that any products and services they introduce will be copied and that competitive advantage comes from being the first mover.
Imagine a world where commercial enterprises survive by selling products and services to people before they realise they want them and then keep on innovating to keep ahead of competitors that will inevitably copy them.
In the mean time, hopefully businesses will begin to understand the real value of data and move from paying lip service to security or simply throwing money and technology at the problem to making security part of their organisational culture to protect all commercial and personal data.