July 20, 2015

Does Your Information Security Budget Match the Risks?

Information security budget statistics are confusing. While the frequency and cost of data security incidents are increasing, some research shows information security programme spending is down.

According to PwC’s Global State of Information Security Survey 2015, the reported number of security incidents in 2014 rose 48% to 42.8 million. At the same time, it showed global cyber security budgets fell by 4% compared to 2013.

Conversely, a study commissioned by the Department for Business, Innovation and Skills described the cyber security market in the UK as ‘one of the most buoyant and fast-growing segments of the IT industry’, predicting that its value would increase from almost £2.8 billion in 2013 to over £3.4 billion in 2017.

How come these numbers don’t add up?

Rob Cotton, who heads up security consultancy NCC Group, may have the answer. In an online article, he says cyber security costs have become entwined with many areas of business.

“Traditional information security and risk management are only a few areas of security,” he said. “It has become more pervasive and is now embedded within numerous business functions, processes and operations... meaning spending is often taken from multiple budgets in a de-centralised fashion without being itemised as cyber security cost.”

What are the key areas to consider in any workplace when setting an information security budget?

  • Risk analysis. Conduct regular risk analyses to identify where confidential information resides, as well as potential weaknesses in policies and procedures that may increase the risk of a breach.
  • Technology. There’s no question that intrusion prevention and detection tools, privileged user access, vulnerability scanning, and other data loss software are important. In a recent Ponemon study, 67% of respondents said their organisations made sure that based on IT risk assessment, IT has the budget necessary to defend against attacks.
  • Training. A lot of organisations do not hold regular training sessions for their employees, according to Shred-it’s 2014 State of the Industry Information Security. But consistent, formal training and a culture of security from the top down supports employee knowledge and a commitment to information security.
  • Insider Threat Reduction. Recent research by Ponemon showed that most companies expect the risk of privileged user abuse to continue or get worse. It also showed that 51% allocate between 5 and 8% of their overall IT budget to insider threat technology. But it’s also clear that workplace policies such as an anonymous tip line, locked consoles for discarded documents, and a Shred-all policy (so that all documents are securely destroyed) protect confidential information from insider fraudsters too.
  • Supply chain. Third parties must be security and privacy minded too. For example, a document destruction partner should provide a secure chain of custody from the time paper is collected in locked containers in the workplace, to the time it is removed and securely shredded.
  • Aggressive mobile policy. Companies may supply their employees with specific mobile devices, let them choose from an approved list (known as CYOD policy), or allow them to use their own devices. Bear in mind that the mobile workforce has been identified as a huge risk to information security. Create a mobile IT risk assessment strategy with defined email security, authentication to gain access, and encryption software. Teaching security-minded work habits – so devices are never left anywhere and lost – is important too.

Take this free security risk assessment to determine significant breach risks in your information security programme and learn more about how secure paper shredding services can help you avoid the costly fines and reputation damage of a data security breach.