Many UK execs do not understand need for data security, study shows

Many UK non-IT business executives still do not understand the risk associated with data and the important of keeping it safe, a study shows

Many UK non-IT business executives still do not understand the risk associated with data and the importance of keeping it safe, a study has revealed.

While 56% of senior UK executives expect to suffer a security breach, only 49% say all their critical business data is secure, compared with just 63% globally, according to a report by NTT Com Security.

The report is based on a survey of 800 business decision-makers in a non-IT role in the UK, Australia, France, Germany, Hong Kong, Norway, Sweden and the US.

The survey is aimed at assessing the level of risk in large organisations and the value senior people place on data security.

Senior vice-president of security strategy at NTT Com Security Garry Sidaway said the security industry likes to think it is doing a good job educating businesses on the importance of data security.

“But from the results of the survey, it is apparent this message is still not getting across,” he told Computer Weekly.

The report identifies a need for better education around data security and a need for boards to ensure information security-rich management is embedded into the business, said Sidaway.

Nearly three-quarters of UK respondents believe it is vital their organisation is insured for data security breaches.

However, only half said their company insurance currently covers the financial impact of a security breach or data loss.

“The results provide some real insight into the minds of non-IT executives about the value they place on the data in their business and whether they feel this data is at risk,” said Sidaway.

“The report shows a kind of security-maturity scale developing among businesses who value their data, but do not always recognise the risks to critical information,” he said.

For example, when asked what they associate with the term data security, only half described it is as 'vital’, while less than a quarter see it as ‘a business enabler’.

“Unfortunately, security at the board level still tends be associated with data protection and compliance when, in fact, securing data properly is absolutely critical to enabling businesses to thrive and survive,” said Sidaway.

“There is also a growing disconnect between the cost of breaches and the importance organisations place on IT security to drive these costs down,” he said.

UK executives underestimating impact of a security breach

The report reveals UK executives are also underestimating the impact of a security breach.

Almost a fifth think there would be no significant impact on their revenue, while 28% admit they do not know what the financial implications would be. 

“It is this lack of awareness around data security-related issues that businesses need to tackle, because data security is a shared responsibility and awareness is key to that,” said Sidaway.

“Business executives should be aware of the controls and of their responsibility in keeping it safe,” he said.

On average, however, UK companies estimate a drop in revenue of 7%, and a quarter say it would take between one and three months to recover, with five months being the average in both the UK and across all eight countries.

The NTT Com Security Risk:Value report highlights four key areas: data policies, data security, impact of a data security breach and personal knowledge/behaviour.

Data policies in the business

The survey found a quarter of UK executives do not know how much of their IT budget is spent on data security – the highest of any country.

We are seeing a growth in spending on security technology and services, but the understanding that is driving that is not being carried through to the non-IT executives

Garry Sidaway, NTT Com Security

“We are seeing a growth in spending on security technology and services, but the understanding that is driving that is not being carried through to the non-IT executives,” said Sidaway.

More than half of those polled think data security is expensive and 21% associate it with being disruptive.

“The challenge for security suppliers is finding a way to demonstrate business value to the board, showing that embedding security and risk management into the business enables greater efficiency, availability of services, and enables them to open and grow new markets,” said Sidaway.

“This needs to be the message to the business because information security and risk management, and data breach headlines, are often seen as constraining and negative – so we need to do a better job of showing the business advantages,” he said.

Just 6% of non-IT UK executives see poor data security as the single greatest risk to their business, the lowest of all eight countries.

“Again the report findings indicate executives are not making the link between data breach headlines and poor data security,” said Sidaway.

“This demonstrates that in general there is a poor understanding about what a company’s critical core data is, where it is stored and how it affects the particular business,” he said.

Data security

Just under half of UK respondents said all critical data is completely secure, compared with 66% in the US and 54% in Australia. Hong Kong ranked lowest with just 29%.

Little more than a third of UK executives rank consumer customer data as the most important data they need to protect, followed by business customer (33%) and employee data (27%).

Fewer than half think all their consumer and business customer data is completely secure.

Impact of a data security breach

Just over half of UK respondents said their company insurance covers the financial impact of data loss or a security breach, higher than the average of 48%, but lower than the US (71%) and Australia (57%).

More than a third did not know what their company insurance covers in the event of a security breach or data loss – the highest percentage for any country except France (45%).

The UK government recently announced a partnership with the insurance industry aimed at improving how businesses manage cyber security risk.

“Government initiatives help to raise awareness around issues and few companies are doing a good job of managing, quantifying and contextualising cyber security risk,” said Sidaway.

“Insurance could be a good way of encouraging businesses to identify their critical data and improving the security controls they have around that,” he said.

In the context of insurance, Sidaway said threat modelling can be useful in identifying the potential impact of a particular vulnerability to business.

“Businesses can then use this to negotiate a premium with their insurers by outlining what controls they have in place,” he said.

Almost a third of UK companies said they do not have a business or disaster recovery plan in place in the event of a breach.

Personal knowledge and behaviour

Only half of UK executives said they are kept fully up to date by their IT security team about data attacks and potential threats – below the global average of 59%.

Nearly half of UK business decision-makers depend upon their IT security team to allow them to use and access work-related data safely whatever device they are using, but a third see it as a joint responsibility between themselves and the security team.

A fifth admit to using personal devices not approved by IT security for work purposes.

Recommended steps

  1. Education – improving internal knowledge and awareness of data security among employees, explaining the importance and implications of what people do when accessing and using corporate data.
  2. Understanding this is not just technology, but people and processes too. Enforce a formal security policy and communicate it all staff.
  3. Completely securing all critical data by implementing the appropriate controls to detect and respond to the threats faced to reduce potential loss.
  4. Taking out appropriate (cyber) liability insurance to cover for both data loss and data security breaches.
  5. Outsourcing security requirements to a managed security services provider.

“The report shows a huge disconnect between the high proportion of executives who expect to be breached and the level of preparedness,” said Sidaway.

“Understanding of the importance of intellectual property data and customer data is extremely low – there is no connection between headlines about credit card fraud and personal data,” he said.

The report also indicates these headlines are not associated with the potential impact a similar breach could have on the business.

“More non-IT executives need to understand they do have intellectual property data that affects their bottom line and needs to be protected,” said Sidaway.

“They also need to understand they do have personal customer and employee data that could impact their business significantly if it were compromised,” he said.

Overall, the report shows most non-IT business decision-makers are not primarily concerned with the technology challenges or risks faced by their organisations.

While 82% of global respondents understand the importance of their organisation’s data, the level of knowledge about this data can vary among senior business decision-makers.

The extent to which organisations are willing to commit significant amounts of their IT budget to data security also varies.

The report concludes executives need to understand how a data security breach can have far-reaching implications for their company’s profits, reputation, growth and ability to attract the best talent. 

They also need to acknowledge the long-term financial impact and the time it takes to recover from a security breach.

The report recommends data security should form part of a company’s overall risk posture and data security needs to be valued as much as profits and reputation.

Read more on Privacy and data protection