Storetec Services Limited
Cyber Security Response 'Could Make
Companies More Vulnerable'
Many companies are taking new steps in an attempt to make their data
and IT systems more secure, but they might actually have the opposite
This is the view of Gartner's 2013 Global Risk Management Strategy,
which claims that the fear of more advanced forms of cyber attack is
causing companies to move away from well-established security
measures like enterprise risk management and risk-based information
Instead of using such methods, they are instead seeking to use
technical security, a survey by Gartner of 555 organisations in the UK,
US, Canada and Germany showed. The proportion of organisations
using enterprise risk management halved from 12 per cent to six per
However, Gartner argues, this actually makes them more vulnerable to
emerging threats, suggesting that the FUD (fear, uncertainty and doubt)
trap is snaring a growing number of enterprises.
Research director at Gartner John Wheeler commented: "While the
shift to strengthening technical security controls is not surprising, given
the hype around cyberattacks and data security breaches, strong riskbased disciplines, such as enterprise risk management or risk-based
information security, are rooted in proactive, data-driven decision
"These disciplines focus squarely on the uncertainty risk as well as the
methods or controls to reduce it. By doing so, the associated fear and
doubt are subsequently eliminated."
He argued that this will mean that companies will cease to be vigilant
towards risk-based threats and therefore be more prone to falling victim
to them. The result of this will be an eventual shift back to risk-based
strategies when firms realise their benefits, but by then many will have
suffered the consequences of the change.
One positive impact of the FUD factor suggested by the report is that
concerned companies will raise their levels of IT security investment
and staffing. In the survey, 39 per cent of firms revealed they had
dedicated over seven per cent of their IT budget to security in 2013,
compared with only 23 per cent last year.
However, the survey found, there was no guarantee that such budgets
will be maintained in the future, while the proportion of companies
handling IT risk through management committees fell year-on-year
from 53 per cent to 39 per cent.
"These incongruent survey findings seem to validate the observation
that risk-based, data-driven approaches are falling to the wayside in
favor of FUD-based, emotion-driven activities," Mr Wheeler
"Or, perhaps more disturbingly, they indicate that those who have
concerns are simply burying their head in the sand, rather than
proactively addressing emerging threats," he added.
For companies concerned about their information security, there is an
alternative approach. Rather than worry about throwing lots of money
at such issues in this year's budget but not in 2014-15, how much
management input (or expertise) there is, or whether the overall
approach to risk and cyber threats is the right one, a sensible approach
may be to use the services of a remote host who can store data safely,
securely and remotely.
By doing this the issues can be outsourced to dedicated professionals
who can identify risks, know the latest means of tackling threats, just
what those dangers are and what the most appropriate response is.
In the case of the UK, the need to do this may be considerable. The
Gartner report suggests that companies may lose out by changing the
way they seek to deal with IT security matters. However, for some the
problem is worse still – a lack of any kind of concerted approach
towards cyber threats and thus a high level of vulnerability.
This was the conclusion of Ernst & Young's Global Information Security
Survey 2013, published last week, which found 66 per cent of senior
company executives reported the number of cyber attacks on their
firms had jumped by five per cent or more in the past year.
Perhaps the most alarming finding of the survey was that only four per
cent of those polled said they believed their in-house security systems
were robust enough to ward off such attacks.
Information security director for Ernst & Young Mark Brown said
companies need to face the reality that it is a question of when they will
be targeted, not if.
Cyber Security Response 'Could Make Companies More
Vulnerable'. November 8, 2013. Storetec.