Hacking attacks against Blighty's top firms hit a record high according to figures for 2011. On average, each large organisation suffered 54 significant digital assaults in that 12-month period, twice the level in 2010, while 15 per cent – one in seven – had their networks successfully penetrated by unauthorised parties. The …
Poor application of Quantitative $$££
Biggest problem is risk is not portrayed to management in a language they understand i.e. $$ ££ wongga
Far to many IT Security bods say "Oh its a High risk or a critical vulnerability" when what they should do is act like and talk like accountants.
There is a 20% likely hood we could be compromised this year, potential loses could be between £50k and £1million. But if we spend £120k on these controls X,Y, Z the risk likely hood drops to 7% and loses would drop to between £50k and £500k.
Land Of Shopkeepers, Eyerolling
If your company has serious Intellectual Property (blueprints, innovative/secret processes, develops software, develops drugs, novel chemicals etc), then I find it Very Funny to attach financial figures to the secrets in question.
How you do calculate the value of complete corporate knowledge of your company ? How valuable is the very existence of your company ? (As the Chinese will soon start to make the exact same product at 20% of cost ??)
No, the confidentiality of the secrets of a company are more or less the same as their existence. So, identify the core Intellectual Property and go Great lengths to protect it. Don't try beancounting!
Less mature controls?
"However, it is also true that small businesses tend to have less mature controls, and so may not detect the more sophisticated attacks"
`On average, companies spent eight per cent of their IT budget on infosec, and those that suffered a very serious breach spent on average 6.5 per cent of their IT budget on security'.
That would be eight per cent on top of their current IT budget, usually running to 20% ...
Not sure I agree with your headline John
Putting to one side the argument about how accurate the loss estimation is (and that the true rate of breachs will be higher as this is just the detected figure), a key figure from this presentation was that total loss to UK Biz was estimated at £5-£10 billion, however this also needs to be set against a total UK spend on IT Security for around £5 Billion.
do you really think we'd eliminate incidents if the whole of the UK doubled their security spend? We'd sure as hell cut the rate, but I'd be quite suprised if it made even a 50% difference to the overall rate of incidents.
Therefore on a simple cost vs benefit basis UK Biz is now probably spending more or less the right amount for the current threat level
The issues at present therefore are:
a) is the money being spent on the right things
b) are the right incentives in place for companies to get it right (e.g. who ultimately bears the costs for identity theft?)
c) do businesses have any meaningful way to assess the value of what they have spent (this again was something that the PWC guys drew attention to).
So, spend more - probably not, but we do need to spend better.
- Review Samsung Galaxy Note 8: Proof the pen is mightier?
- Nuke plants to rely on PDP-11 code UNTIL 2050!
- Spin doctors brazenly fiddle with tiny bits in front of the neighbours
- Game Theory Out with a bang: The Last of Us lets PS3 exit with head held high
- That Microsoft-Nokia merger you've been predicting? It's no go