IT security critically underfinanced, study finds

IT security is critically underfinanced by business, a global study has revealed

IT security is critically underfinanced by business, a global study has revealed.

Some 60% of IT decision-makers say there is insufficient time and money available to develop IT security policies, according to Kaspersky Lab’s Global Corporate IT Security Risks 2013 survey.

As a result, barely half of the companies surveyed feel that they have highly organised, systematic processes to deal with IT threats, the survey found.

The situation is especially poor in the education sector, where only 28% of organisations are confident they have sufficient investment in IT security policies.

But of even greater concern, only 34% of the government and defence organisations surveyed said they have enough time and resources to develop IT security policies.

The remaining two-thirds are in constant danger of losing confidential governmental information, according to the research report.

Read more about security policies

However, the report points out that even taking a single measure – such as implementing IT security policies for mobile devices – could significantly reduce the risks posed by smartphones and tablets in a corporate IT environment.

The survey shows almost half of organisations have no such policies. Even where mobile security policies have been implemented, resources are still inadequate. Around half complain that budget increases are insufficient, while 16% complain there is no extra funding made available.

According to the survey, 91% of respondents firms have at least one external IT security incident and 85% reported internal incidents in the past 12 months.

The Kaspersky report points out that such incidents can cause real financial and reputational damage; and that these losses can significantly exceed the cost of putting in place IT security tools which would help to avoid leaks of important data, downtime and other unplanned expenses.

The survey report said a serious incident costs large companies an average of £418,000; for small and medium-sized companies the bill typically comes to about £32,000.

However, a successful targeted attack can cost a company more than £1.5 million in direct financial losses and additional costs.

David Emm, senior security researcher at Kaspersky Lab, said lots of organisations do not realise these risks.

“A quarter of companies still regard security issues as things that happen to others – although more and more are starting to realise they are a real life problem for any business,” he said.

According to Emm, another problem is that 28% of companies mistakenly think the costs of guarding against cyber crime are greater than the potential losses.

Read more on Security policy and user awareness