How much security is too much?

As security breaches within UK companies continue on an upward curve, is throwing money at the problem the only solution? Or do we need to train ourselves to spend less, better?
Written by Will Taylor, Contributor

Security breaches within UK companies, large and small, continue on an upward curve.

At least, that's according to the 2012 Information Security Breaches Survey (PDF) from PwC, which was published in April. Indeed, the PwC report shows the number of breaches to be at "historically high levels", costing UK business of billions of pounds every year.

So why would anyone, least of all someone working within the IT security industry, even contemplate that the solution could be to spend less and not more?

Think about it rationally for a moment and clarity will arrive in the shape of an obvious response: security resources can only be effective if they are properly applied. Which means considering the risks that really need mitigating, and allocating budgetary resources accordingly. 

With 80 percent of larger enterprises (see ISBS highlights, below) failing to evaluate the return on investment of their security spending, and with the consensus of opinion across various surveys seeming to be that they will have spent around seven to nine percent more this year on information security than they did last year, it's natural to wonder why this is.

Security spending 

One key statistic was almost lost in that ISBS report — namely that even though 50 percent of those companies plan to spend more on security this year than last, 67 percent of them also expect an increase in security breaches.

Even if we were not back in recession (and apparently we are), that would be utterly ridiculous from any strategic spending point of view. To spend more and achieve less when budgets are stretched to breaking point is just plain stupid.

The more money that's wasted on ineffective security defences, the less money there is for competing business IT spend.

Chris Potter, a PwC information security partner, said when the ISBS report was published that "the key challenge is to evaluate and communicate the business benefits from investing in security controls", which makes perfect sense. But Potter also insisted that given "most organisations take a lot of action after a breach to tighten up their security, scrimping and saving on security creates a false economy" — a remark that bears further thought.

It's not the spending of cash that is a problem, but the assumption (on the part of many companies, and not Mr Potter, no doubt) that throwing money at the problem makes it go away. There are companies that have plenty of money and have still suffered security breaches.

Not only does poorly targeted security spending not secure the right data from the relevant threats, but it also impacts negatively on the rest of your business.

The more money that's wasted on ineffective security defences, the less money there is for competing business IT spend. The more complex the defences that get layered one on top of the other, the more administrative time gets thrown away trying to manage them — and the burden on IT staff creates a knock-on productivity loss elsewhere within the enterprise.

A more intelligent approach

There can be little doubt that security policies in most businesses have room for review and updating, with a move away from one-size-fits-all point solutions to a more intelligent and resource-efficient approach.

What do we mean by that? Now that's the easiest question so far. The chances are fairly high that you already have enough technology in place to mitigate the security threat to the point where the balance of risk against expenditure tips in your favour.

What's needed is an investment not in more technology, but in more awareness. For example, when security vendor AVG completed a 'market landscape survey' of the SME sector at the end of last year, it found that a majority of businesses were still very much focused on old-school threats such as email and web virus infection.

Educating employees, from the shop floor to the server room, about the real risks and the measures available to avoid them has been proven time and time again to deliver results.

Misfeasance is, in all honesty, probably the biggest security threat that companies face today.

Information Security Breaches Survey (ISBS) 2012 highlights: 

  • 93 percent of large organisations and 76 percent of small businesses experienced a security breach last year
  • 15 percent of large organisations detected successful network hacker penetrations
  • 80 percent of large organisations, and 53 percent of small businesses, fail to evaluate the return on investment of security expenditure
  • 50 percent of large organisations expect to spend more on security next year, yet 67 percent still expect more security breaches
  • 75 percent of organisations where security policy was poorly understood experienced a staff-related breach
  • 54 percent of small businesses have no security education programme in place
  • 44 percent of large organisations gave additional staff training after a breach
  • The average cost to a small business following a security breach was £15,000-£30,000
  • The average cost to a large organisation following a security breach was £110,000-£250,000

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.
Editorial standards