The low level of concern about data security risks in Australia is reflected by business decision makers in other countries, according to security and risk management company NTT.
In its recently commissioned survey of 800 business decision-makers worldwide, including in Australia, NTT reveals that nearly two-thirds (63%) of respondents expect to suffer a security breach at some point, but less than one in ten (9%) see ‘poor data security’ as the greatest risk to their business.
In Australia, just over half of the business decision-makers surveyed (56%) say they do have a formal data security policy in place, while 56% have a business or disaster recovery plan in the event of a breach, which is above the global average of 47%.
According to NTT, however, businesses are most likely to see risks coming from competitors taking market share, lack of employee skills and decreasing profits, rather than recognising the long-term damage – both in terms of time and money – of a security breach.
The survey, undertaken for NTT by Vanson Bourne, reveals that over half of senior decision-makers (59%) agree there would be minimal long-term damage from a security breach, although a significant number report that their organisation would suffer reputational damage (60%) and loss of customer confidence (56%) if data was stolen.
In Australia, when it comes to the financial impact of a security breach, business decision-makers estimate that their revenue would drop, on average, by 9% as the result of an attack.
But, 14% expect a security breach to have no impact at all on revenue, while more than a quarter (29%) admit they do not know what the financial implications would be.
“The concern here is whether senior business decision makers recognise the risks to their organisation, as well as understand the value of good data security. There seems to be a worrying level of indifference,” said Garry Sidaway, Senior Vice President Security Strategy & Alliances, NTT Com Security.
“When we asked respondents what they associate with the term data security, only half believe it is ‘vital’ to the business, less than half see it as ‘good practice’ and less than a quarter see it as ‘a business enabler’. The majority unfortunately still associates security with data protection or privacy.
“The report also suggests that there is still a disconnect between the cost of data breaches and the importance organisations place on IT security to drive these costs down. With security incidents making headlines daily, and costs soaring for a major breach – up to AUD $2.1m on average for a large organisation – a security incident can have far-reaching implications, from damaging a company’s reputation and share price to its ability to attract the very best talent.”
According to Simon Church, CEO for NTT Com Security, most business decision makers “are not primarily concerned with the challenges or risks faced by their organisations that relate to technology”.
“As an industry, we need to be much smarter at educating businesses about the wider implications of data breaches, and help move the information security dial from ‘important’ to ‘vital’, so that it becomes an essential part of a company’s overall risk posture and valued as highly as profits and reputation.”
Key findings of the NTT report include:
Data policies in the business
• On average 10% of an organisation’s IT budget is spent on data/information security, although 16% of respondents do not know the amount spent
• Around half (49%) regard data security as ‘expensive’ and 18% see it as ‘disruptive’
• Globally, less than half (44%) report that all of their critical data is ‘completely secure’, while in Australia 54% said it was
• 55% of respondents report that (consumer) customer data is vitally important to the success of their business, but only 37% report that all (consumer) customer data is ‘completely secure’
• 45% report that business performance data is vitally important to their business, but only 31% admit that all of this data is ‘completely secure’.
Impact of a data security breach
• Around three-quarters (72%) say it is vital their organisation is insured for security breaches
• Less than half (48%) say their company insurance covers for both data loss and a security breach
• A quarter of those with any insurance do not know exactly what they are insured for in the event of data security breach.
Personal knowledge and behavior
• Less than half (41%) are not kept up to date by the IT security team about data attacks and potential threats
• 28% rely upon their own judgment of what is ‘safe behaviour’ when using/accessing work-related data, but a fifth (21%) state data security is a joint responsibility between them and the IT team.