Tech firms risk 'catastrophic' breaches of data security

Crucial sector told to treat IT security as a business issue or face disaster

Technology, media and telecoms (TMT) companies have not got to grips with information security and risk catastrophic security breaches, according to a survey by Deloitte Touche whose findings have been described as “scary” by one expert.

Although 69% of over 100 global TMT companies surveyed felt they were addressing current security threats, only 7% felt prepared for future threats. Half the survey respondents allocated less than 3% of their budget to security.

James Alexander, head of the Deloitte UK TMT security team, said: “This isn’t just an investment thing. Quite often security is defined by external threats and seen as an IT issue. We would advocate it being a business issue. There needs to be a better alignment with the business, and awareness and focus on the most relevant risks.

“As the TMT sector has evolved and converged, the impact of some security threats and issues has grown. They are doing more than just providing a phone line now; they are controlling content and data.”

The report’s recommendations include appointing a head of security, better assessing risk, prioritising access and identity management, and splitting the security effort between internal and external threats.

Duncan Hume, security analyst at Bell Micro, said that the report held serious implications for CEOs: “Some 49% of those responding think that compliance is ‘somewhat effective’. That will be little comfort for CEOs who end up in jail. Sarbanes-Oxley is not a toothless tiger.

“Of all the data provided in this comprehensive report my favourite has to be the 2% of senior executives who, when asked how often they’d like to provided with their company’s security status reports, specifically request not to be informed. Now that’s scary.”

Bill Rann, global head of governance practice at BT Global Services, told IWR: “The fact is that businesses still aren’t always getting the basics right ­ it’s simple mistakes such as failure to encrypt sensitive data. The problem often stems from the boardroom. Security and compliance must be sustainable and strategic considerations; otherwise, organisations will remain two steps behind today’s ever more sophisticated cyber-criminal.”