Is it too late to turn back the rising tide of cyber crime?

security attacks

COMMENT: With the technology, media and telecommunications (TMT) sector coming under increasing scrutiny from cyber criminals, perhaps the question I should be asking is whether TMT has turned into ITSec TNT?

With newly published research suggesting that 75 per cent of those enterprises within the TMT sector have reported a security breach so far this year - an increase of 13 per cent on the previous year - there's a real danger that data security will implode if nothing is done to stop the rising threat tide. Especially when you look closer at that research from Deloitte and discover that IT security budgets have largely, erm, gone precisely nowhere in response to the threats and stayed totally static.

While the optimists, and bean counters, will be applauding the fact that IT security budgets have not actually fallen, I will continue to shout as loudly as I can that they are missing the point.

The fifth 'Global TMT Security Survey' which Deloitte pitch as being "aimed at providing TMT companies with insight into the security and privacy challenges and threats they face or will face as an industry" makes for somewhat chilling reading. Revealing that while many enterprises talk the security talk, few seem capable of walking the walk, or at least walking in a straight line towards data security at any rate.

OK, I will readily admit that when it comes to IT security strategy I am very much a glass half empty kind of a guy, preferring to plan for the worst case scenario rather than march zombified and ever onward with fingers crossed that it will never happen to me. Which is why I find it hard to understand how any serious enterprise, as in serious about keeping data safe and secure, will think that a 'stable security budget' is good enough when the cold, hard facts are slapping them in the face with rising breach rates and ever more complex threat vectors. So while the optimists, and bean counters, will be applauding the fact that IT security budgets have not actually fallen, I will continue to shout as loudly as I can that they are missing the point.

Not that I really need to shout that loud as it would appear that those businesses whose budgets have remained static are well aware that this is not a good thing. According to the Deloitte research half of those questioned said that they considered the lack of budget (along with a lack of personnel, but it amounts to pretty much the same thing ultimately anyway) as being the biggest barrier to 'adequate' information security. And there we go again, with my pessimistic alarm bells ringing at the sound of someone using 'adequate' as an aspirational measure. Adequate is bean-counter-speak for least costly, within budget, value for money, cheap. Adequate is not secure at any cost. Adequate is not as secure as we can make it. Adequate is not, I repeat, acceptable.

Nor is it acceptable, I would suggest, for a quarter of CISOs not to be reporting back to their senior executive team.

I am not the only one with this concern, James Alexander is cyber security partner at Deloitte and he insists that "information security across the TMT industry is a matter that requires C-level attention, and organisations must raise awareness of the issues and train employees how to deal with them.The bar is being raised to a new level, and we need to step up". I couldn't agree more.

That stepping up has to include improving the frankly miserable statistic of only 18 per cent of TMT organisations having established clearly defined practices to inform customers and 'external stakeholders' about the risks to their data, and the 35 per cent with 'partially defined' policies. Mind you, it wouldn't hurt to try and improve on the 39 per cent of workers who follow IT security policy in the enterprise, another staggeringly depressing figure thrown up on this occasion by research from privilege management specialists Avecto.

So, to sum up, it isn't too late to stem the cyber crime tide. However, unless you want to get seriously wet and risk seeing your data drowning in these dangerous seas, you had better start not only taking the subject more seriously but investing in suitably robust defences NOW.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.