NTT Security has published its Risk:Value 2017 report (registration required). The report looks at attitudes and spending on information security across enterprises in several countries. It also shows that the cost of recovering from a data breach continues to rise. There are also some significant differences across national borders when it comes to spending and information security.
In a statement Linda McCormack, Vice President UK & Ireland at NTT Security, said: “Companies are absolutely right to worry about the financial impact of a data breach – both in terms of short-term financial losses and long-term brand and reputational damage. Although this year’s £1.1m figure is slightly down on last year’s report (£1.2m), no company, regardless of its size, sector or focus, can afford to ignore the consequences of what are increasingly sophisticated and targeted security attacks, like the widespread and damaging ransomware attack we recently witnessed.”
The report was compiled from the responses of 1,350 decision makers in 10 counties. Enterprise Times was given access to the questions and responses excluding any data that could be termed PII. This deeper set of data shows just how different countries view information security and the risks they are exposed to.
A wide variation in budget spend
The report asked a wide range of questions from budgetary spend to where data was located. There is a wide difference in some areas between countries and not necessarily because some countries have much stricter security requirements. Companies in Singapore, a country with strong security requirements, said that just 29% of their critical data was secure. Compare this with France where 61% of companies had secured their critical data.
Budget spending was another area where there was a big disparity. In Sweden companies spend the least of their IT (11.81%) and operations (12.9%) budgets on information security. By comparison, US-based companies spend 16.89% and 19.58% respectively.
The impact of regulations on data location and protection
Companies have been moving their data into the cloud. To protect data and privacy there has been an increase in data sovereignty requirements from governments. Despite this only 54% of companies in France had any clue where the organisations data was stored. The UK (57%) was only just better. In Germany where data sovereignty rules have led to a surge in new data centres, 72% of companies know where data is physically stored. However, they still have some way to go to beat companies in Hong Kong where 82% of IT teams know where the data is physically located.
Regulations are having a significant impact (>85%) on where data is stored in most countries. The UK is the exception where just 18% disagreed and 10% had no idea what impact regulations were having. This is a serious problem for the UK.
There has been a lot of misinformation in some quarters about the impact of GDPR as the UK proceeds with Brexit. Just 39% of UK respondents say GDPR will apply to them. GDPR will come into force next year. Any company, irrespective of where they are in the world will have to agree to its requirements in order to store data on European citizens. UK companies are not the only ones in Europe to misunderstand the impact of GDPR. Germany (53%) and Switzerland (58%) were the best scoring European countries.
Information security policies hidden in a bottom drawer
Refreshingly the vast majority of companies have information security policies in place. They also believe those policies have been communicated to their staff. While the majority say that staff have some awareness of those policies only Hong Kong and Germany said 50% of more were fully aware. Companies need to do more to validate awareness of information security policies otherwise they are of little practical use.
Overall, the c-suite is believed to be more aware of these policies than the rest of the business. As they are ultimately responsible for them that is to be expected.
Incident response planning improving but big losses still expected
Recent high-profile data breaches have exposed poor incident response plans. Given the reputational damage of a breach, something most companies admitted was a concern, good incident response plans are a must. The UK (65%) and US (62%) are ahead when it comes to planning. Companies in Sweden (28%) and Norway (29%) have a long way to go although respondents in both countries (54%/45%) say they are implementing new plans.
One of the advantages of a well rehearsed incident response plan is to minimise financial damage when a breach occurs. The majority of companies across all countries believe a breach will cost them between 5-20% of revenue. The average is 10%.
Put in monetary terms this means the average organisation expects to lose up to $250,000. In the UK and Switzerland, 13% of companies said it could cost them up to $5 million. What is not clear is if those companies had already factored in the potential impact of GDPR. That would mean a loss of 4% of global turnover or $20 million whichever is the larger.
What does this mean?
There is good and bad in this report. More is definitely being spent on information security than in past years. There is also an increase in the number of companies that have developed good policies and incident response plans.
The worry is that many companies, irrespective of where they are based, are unprepared for GDPR. The financial penalties for a breach alone can threaten the survival of a business. More importantly the average cost of recovering from a breach climbs year after year.
Companies must ensure staff know what their information security policies are. They also need to practice their incident response plans. Unless they do, they won’t know if the plans work and how well they will help limit the damage of a data breach.