Information security - Security conscious

First, the good news. UK businesses are investing more on information security than ever before. The vast majority have either increased their security spend in the last year or kept it at the same levels. Only one in 20 businesses reported a decrease in spend. The economic climate of the past few years may have dampened IT spend, but the importance of information security at board level means it’s still a priority for many companies.

But it’s not all good news. The results of the DTI information security breaches survey 2004, published at the end of April, show that three quarters of all UK businesses, and a staggering 94% of large companies, suffered a security breach in the last year.

What’s more, the frequency of security breaches is growing rapidly. The average company had one breach a month, and this was more like one breach a week for large organisations. The average cost of a small business’s worst breach was £10,000, rising to £120,000 for a large company. Some companies had losses in the millions, and overall the cost to UK plc is in the billions.

Given these figures, it is perhaps no surprise that information security is a high priority for top management. Yet, the survey results show that this priority is all too often failing to translate into effective action.

Significant weaknesses in basic security disciplines continue to leave many companies exposed to security threats. And it’s a situation that’s likely to worsen. Most companies predict that there will be more rather than fewer security breaches in the future, and that these will be harder to deal with than problems experienced today.

One root cause for this disconnect is a skills gap. Many businesses simply lack the expertise or knowledge to understand the security threats they face.

An even more significant issue is under-investment in security controls.

As a general rule, companies should expect to spend between 3-5% of their IT budget on information security. In high-risk sectors such as financial services, an average of 10% might be expected.

UK companies appear to have taken these recommendations to heart. They now spend on average 3% of their IT budget on security (up from 2% two years ago) rising to an average 4% among large businesses. Roughly a quarter of companies are investing in security at, or above, benchmark levels.

In large companies, this rises to roughly half.

But the averages mask a mixed position. The majority of businesses are still spending less than 1% of their IT budget on security. This shortfall goes some way to explaining why security is still such a difficult area for UK businesses, and continues to cause considerable frustration for those staff responsible for keeping the business safe.

To some extent the variations in spend reflect the varying natures of the businesses surveyed. Broadly speaking, sectors with high dependence on technology or significant confidential material tend to spend more.

Sectors with less exposure tend to spend less.

But the industry variation is only part of the story. The reality is that no sector is immune from under-investment. Across the board, at least a third of companies spend less than 1% of their IT budget on security.

This is partly because security continues to be seen as an overhead and a necessary evil rather than an investment. Less than half of all businesses ever evaluate the return on investment for their security spend. This situation has not significantly changed in the last two years. It is also one of the few areas where large companies are not significantly better than their smaller counterparts.

Fortunately a lack of return on investment calculations does not always equate to lack of investment. But without this information, it is certainly difficult to prioritise security spend against other projects or to convince senior management that security is anything more than forced expenditure rather than something that can bring positive business benefits.

But perhaps surprisingly, the main reason why businesses do not estimate return on investment is that no-one asks for it.

At least this is the case in almost a third of businesses. In a further one in eight companies, the person responsible for information security does not know how to do the calculation. Because many come from a technical rather than a commercial background, the problem is they have never learned the technique.

A quarter of respondents admitted they found it difficult to quantify the expenditure required to address their information security issues.

And yet direct costs are the easy part. The genuine difficulties lie in quantifying intangible benefits from investment or estimating the losses from not investing.

In highly regulated or sensitive sectors such as financial services or telecommunications, potential damage to a company’s reputation is very hard to quantify. You might assume that these sectors would place less emphasis on return on investment calculations. In practice, this is not the case.

Guidance is increasingly available on how best to do the sums. Security vendors in particular are doing a far better job of providing the means to evaluate the return on their particular products. Of course, it goes without saying that businesses should check that any information they rely on is unbiased and fair-minded.

Despite the lack of return on investment calculations, most businesses consider it easy to build a business case for security expenditure. In the case of investments in anti-virus and backups, senior management already sees it as a no-brainer. But for areas such as data protection, encryption, server security, security policies and standards, senior management appears less convinced of the benefits. Even still, most respondents found it easy to make a case and secure funds.

Nonetheless, business managers and the finance function have a critical role to play in breaking the cycle of under-investment if they are to reap the benefits, rather than simply the costs, of the internet. This isn’t a problem that will go away.

• Chris Potter is PricewaterhouseCoopers partner who led the information security breaches survey 2004 for the DTI.