Facebook.com/storetec

Storetec Services Limited

@StoretecHull www.storetec.net

Many companies are taking new steps in an attempt to make their data and IT systems more secure, but they might actually have the opposite effect.

This is the view of Gartner's 2013 Global Risk Management Strategy, which claims that the fear of more advanced forms of cyber attack is causing companies to move away from well-established security measures like enterprise risk management and risk-based information security.

Cyber Security Response 'Could Make Companies More Vulnerable'

Instead of using such methods, they are instead seeking to use technical security, a survey by Gartner of 555 organisations in the UK, US, Canada and Germany showed. The proportion of organisations using enterprise risk management halved from 12 per cent to six per cent.

However, Gartner argues, this actually makes them more vulnerable to emerging threats, suggesting that the FUD (fear, uncertainty and doubt) trap is snaring a growing number of enterprises.

Research director at Gartner John Wheeler commented: "While the shift to strengthening technical security controls is not surprising, given the hype around cyberattacks and data security breaches, strong risk-based disciplines, such as enterprise risk management or risk-based information security, are rooted in proactive, data-driven decision making.

"These disciplines focus squarely on the uncertainty risk as well as the methods or controls to reduce it. By doing so, the associated fear and doubt are subsequently eliminated."

He argued that this will mean that companies will cease to be vigilant towards risk-based threats and therefore be more prone to falling victim to them. The result of this will be an eventual shift back to risk-based strategies when firms realise their benefits, but by then many will have suffered the consequences of the change.

One positive impact of the FUD factor suggested by the report is that concerned companies will raise their levels of IT security investment and staffing. In the survey, 39 per cent of firms revealed they had dedicated over seven per cent of their IT budget to security in 2013, compared with only 23 per cent last year.

However, the survey found, there was no guarantee that such budgets will be maintained in the future, while the proportion of companies handling IT risk through management committees fell year-on-year from 53 per cent to 39 per cent.

"These incongruent survey findings seem to validate the observation that risk-based, data-driven approaches are falling to the wayside in favor of FUD-based, emotion-driven activities," Mr Wheeler commented.

"Or, perhaps more disturbingly, they indicate that those who have concerns are simply burying their head in the sand, rather than proactively addressing emerging threats," he added.

For companies concerned about their information security, there is an alternative approach. Rather than worry about throwing lots of money at such issues in this year's budget but not in 2014-15, how much management input (or expertise) there is, or whether the overall approach to risk and cyber threats is the right one, a sensible approach may be to use the services of a remote host who can store data safely, securely and remotely.

By doing this the issues can be outsourced to dedicated professionals who can identify risks, know the latest means of tackling threats, just what those dangers are and what the most appropriate response is.

In the case of the UK, the need to do this may be considerable. The Gartner report suggests that companies may lose out by changing the way they seek to deal with IT security matters. However, for some the problem is worse still – a lack of any kind of concerted approach towards cyber threats and thus a high level of vulnerability.

This was the conclusion of Ernst & Young's Global Information Security Survey 2013, published last week, which found 66 per cent of senior company executives reported the number of cyber attacks on their firms had jumped by five per cent or more in the past year.

Perhaps the most alarming finding of the survey was that only four per cent of those polled said they believed their in-house security systems were robust enough to ward off such attacks.

Information security director for Ernst & Young Mark Brown said companies need to face the reality that it is a question of when they will be targeted, not if.

Storetec News/Blogs."http://www.storetec.net/news-blog/cyber-security-response-could-make-companies-more-vulnerable/".

Cyber Security Response 'Could Make Companies More Vulnerable'. November 8, 2013. Storetec.