Despite the alarming frequency of data breaches and cyber crime, research shows there’s still not enough money – or attention – being paid to information security, and specifically cyber security, in the workplace.
62% of CIOs and other cyber security professionals in EY’s Global Information Security Survey 2015 said budget constraints are their biggest challenge.
In the earlier 2015 Global Study on IT Security Spending & Investments by Ponemon Institute, 50% of respondents reported that their IT security budgets were flat or in decline.
The Global State of Information Security Survey 2015 by PricewaterhouseCoopers (PwC) showed that for the past 5 years, the average security budget has been at just 4% of overall IT spending.
But when it comes to cyber security threats, experts say that a “steady and responsive approach” to investment is critical.
Almost 3/4 of respondents in the EY survey said their information security budget needs to rise by up to 50%.
Here is where spending shortages can show up and impact information security programs.
- Detection and Incident Response: While IT protection (anti-virus software, firewalls, etc.) from cyber threats is standard for most organizations, early detection safeguards and rapid response plans should also be in place – but aren’t always. A recent story published by the Boston Globe reported: “In most cases companies don’t realize they’ve been attacked until months after the first breach has occurred”; and by then, cyber criminals have stolen confidential information they may use in future attacks. The 2015 Travelers Business Risk Index showed that only 33% of organizations have a cyber or data breach response plan.
- Lack of Security Expertise: In the EY survey, 57% respondents said a lack of skilled resources is also impacting information security. Since the global demand for cyber security professionals keeps increasing and a shortfall of 1.5 million is forecast by 2019, finding qualified cyber security experts will, in part, depend on salary. At the same time, “effective cyber security starts with awareness at the board and c-suite level,” said a recent report from Deloitte. An inadequate budget and lack of support from the organizations’ leadership makes it difficult to acquire state-of-the art technologies, the Ponemon study concluded.
- Security Awareness Training: Employees should be trained in information security best practices, especially social engineering schemes such as phishing. Careless or unaware employees were the number one threat that increased risk exposure in the EY survey. Only 8% of respondents in the Ponemon study said cyber security training for all employees was an IT security objective.
- Insurance: 2/3 of the companies surveyed recently by Advisen, a research group, had not purchased a cyber insurance policy. The British insurance company Lloyd’s has estimated that cyber attacks cost businesses as much as $400 billion a year.
- Mobile Device Protection: By 2018, 70% percent of mobile professionals will do all of their work on personal smart devices, according to Gartner research. The EY survey showed that poor user awareness/behavior is the main risk associated with mobile devices. Also, the Ponemon study showed 50% of companies dedicate zero ($0) budget towards securing the mobile apps they build for customers.
Today, the information security budget must also include secure document destruction of confidential information in paper and digital formats.