Less than a third (31%) of UK companies plan to increase spending on information security over the next year, compared to just over half (52%) of the overall global respondents to the 8th annual Global State of Information Security Survey, conducted by PricewaterhouseCoopers (PwC) in conjunction with CIO and CSO magazines.
This is despite the fact that 60% of UK respondents said economic conditions and the increased number of threats continue to drive information security spending. The survey, the largest of its kind, sampled some 13,000 executives and information security professionals around the world, with 640 polled in the UK.
William Beer, Director, PricewaterhouseCoopers LLP, said: “It is perhaps not too surprising that the challenging economic and business environment we’re experiencing in the UK post-recession is having a negative impact on security spending. Yet such spending restraints may risk seriously undermine the ability of organisations to protect their most sensitive data.”
Outsourcing and supply chain concerns are also identified as significant drivers of security spending by the survey but again the UK is somewhat out of step with the global trend. A larger proportion of UK respondents said their business partners (68%) and suppliers (66%) had been weakened by economic conditions.
The survey also comes up with the interesting finding that in the UK many companies are now using insurance as an innovative tool to protect themselves from theft or misuse of assets like sensitive data and customer records. Over a third (38%) of UK respondents said their organisation has an insurance policy and a significant 83% said their company has collected on a claim (compared to just 13% globally).
Globally, the survey notes that over the last four years the business impacts – including financial losses as well as compromises to brands and reputations – have more than tripled in some cases (up by as much as 233%).
In the UK, rising levels of breaches are creating a growing recognition that security’s strategic value needs to be more closely aligned with the business than with IT. One outcome of this has been the shift in the reporting channel of the Chief Information Security Officer (CISO) towards key decision-makers like the CEO and CFO rather than the Chief Information Officer (CIO).
As if protecting data across applications, networks and mobile devices wasn’t complex enough, social networking is presenting companies with a new frontier of risk. Few, however, are adequately prepared to counter this threat. In the UK, only 32% said their organisation has implemented the necessary technologies needed to support social networking and other Web 2.0 exchanges (blogs, wikis) which compares unfavourably with 60% globally.
William Beer concluded: “Lack of focus on social networking can expose organisations to a variety of risks, including loss or leakage of information, damage to a company’s reputation, illegal downloading of pirated material, and identity theft. It’s not a passing fad and the real challenge will be how to integrate it with the more well-established operational models.”