Research Insight:

Security challenges for UK enterprises

Intelligent Market Research

Fast-changing threats to enterprise IP

UK plcs companies are well aware of the havoc created by criminal gangs targeted attacks or damage from lone hackers dedicated to crashing corporate IT systems. However, other risks are emerging as supply chains and business processes being opened up to allow more flexible collaboration with partners and suppliers - while end users increasingly access applications and core data from mobile devices. As companies re-engineer their business models for the mobile internet age, so perennial threats are now being rivalled by new risks associated with organisations mobilising their core data assets. This study examines the way that UK companies IT decision-makers are broadening their risk management thinking and seeking to actively manage their policies. It shows that, as well as coping with disruptive tablet, mobile device and cloud technologies, organisations senior management is constantly re-addressing the human factor in IT security: the potential for unauthorised or accidental loss of intellectual property (IP) assets by disaffected, misguided or poorly-trained employees.

Threats - inside and out

The online survey questioned 100 UK enterprise IT decision-makers drawn from an independent panel of executives. Respondents represented larger (3000+ personnel) and smaller (1000-3000) enterprises across the financial services, manufacturing, retail & transport and other commercial services sectors. The study found that the security threats that concern most respondents are: employee attitude to security protocol (77%); malware (76%); use of personal cloud storage (70%); malicious non-commercial external attacks (70%); and commercially-driven attacks (60%). But the true extent of executives concern is revealed by the next five threats identified: personally owned devices (59%); cloud software (58%); mobile devices (57%); internal threats (54%) and supply chain threats (31%) - the mobilisation of data and its access via cloud and smart devices are shifting the focus of corporate risk management towards employees workplace tools and behaviours.

Find out more:

Watch our recent IT Security Webcast

Risk management thinking protocols and partners

Assess

Evaluate

84

UK businesses are attempting to impose security processes on their employees. The vast majority 84% - of UK organisations has a formal process for reviewing security protocols, and of those with such processes, 57%, conduct the review on a quarterly or monthly basis.

Measure
M anage

More than two thirds (69%) of organisations review their security providers; this figure rises to 80%

Find out more:

Read our blog 'Information security: the human factor matters more than ever'

among organisations with more than 3000 employees. Not surprisingly when different sectors are compared, financial services respondents (80%) have the highest security vendor evaluation levels but surprisingly, only just over half of retail and transport interviewees (52%) take this step.

A proactive approach to threats

UK companies struggle with regular or even proactive risk management. Although around one fifth (22%) checks both protocols and vendors quarterly, 17% does so only twice a year and around one in ten (9%) manages only an annual review of both. Many respondents leave security to the vendor: over one third (36%) says they dont carry out this dual review process at all. Bigger enterprises are more likely to have formal policies for both protocols and providers; although 26% of them do not, this figure rises to 46% among the smaller category (1000-3000 employees) businesses studied. The survey generally found that those organisations spending the biggest percentages of the IT budget on security and those spending more than three years ago tend to make greater use of security protocols and providers. As a result, senior management teams that recognise the importance of perceived threats also place greater emphasis on proactive and preventative measures.

Best practice a state of mind?

The study shows a clear link between companies awareness of different threats to their IP and their level of expenditure on the different components and management of information security systems. The telling factor is how much of the enterprise's IT budget is dedicated to security - nearly three in four of those enterprises that ring-fence more than 10% of their IT budget for security have formal policies to review both security protocols and security providers. In those enterprises where the security spend is less than 5%, only just over half has these dual checks in place. Creating a risk-aware culture remains difficult in some firms. None of the firms that spend 5% or less of the IT budget on security says their employees regard security as the top priority when using the companys IT but in those firms spending more than 10% of budget on security, this figure was much higher at 41%.

More money for security

65

Regarding security budgets, almost two thirds (65%) of interviewees are spending more on data security than they did three years ago, with only 22% spending the same amount.

Find out more: Watch video interview 'Does Security Spend Matter?' Find our out more:
Watch our video interview 'The Employee Security Confidence Gap'

Enterprises found to have the lower proportion of corporate IT budgets ring-fenced for security are far more blas about the significance of the security threats that the survey listed. This might suggest a level of paranoia among higher spenders or alternatively, that small spenders under-estimate the risks they run. Only 7% of interviewees say they have cut their security spend compared with three years ago. Bigger and smaller organisations appear to be buying more security as time goes on, not less.

Bigger firms are upping their investment by slightly more than smaller ones; their average increase in security expenditure is 31%, compared with 23% in smaller companies. If anything, the study suggests that companies increasing their IT security spending have heightened sensitivity to security threats, rather than complete confidence that theyre fully protected.

And while larger enterprises see IT security as a higher priority, they are more likely to find it more complex,

Find out more:

Watch our video interview 'Does Security Spend Matter?' Look at the headline figures in our 'Strategic Insight Infographic'

90%

and are concerned about a wider range of issues than smaller enterprises. Tellingly, over 90% of those enterprises spending more than three years ago admitted that they can never feel 100% protected.

No room for complacency

This study reveals the effort and resources that companies need to put aside to keep on top of IT security, all of which may stretch even a large company in todays 24/7 trading environment. However, its clear that a significant proportion of firms, particularly those with lower IT security spend, is failing to build a risk management culture including enforcement of security protocols.

24/7

Despite their IT security investments,

42%

only 42% of companies express full confidence in their protection against any of the ten main threats identified. However, having processes for regular security protocols checks does appear to boost confidence.

Interested in using market research to help your organisation? To take the first step, download our latest White Paper 'Things to take into consideration when choosing a Market Research company' for lots of tips and advice.

white paper

Things to take into consideration when choosing a Market Research company

Market Research; What is it? Whats it for? What do you do with it and how do you do it? Which agency should I use? 1-2 3 4-6 7-10

MR: What is it?

The clue is in the name. This is an examination or questioning of a defined market, which is usually carried out by asking carefully-constructed and replicable questions of a representative sub-set of that market (rather than everyone because that would be a census which would be very expensive, take too long and is unnecessary) which gives us a perspective on the current, past or future behaviour of the whole market. It tests the whole market by researching the responses, attitudes, understanding, of this sample group. Thats market research.

Smaller enterprises (1000-3000) are generally more confident than their larger peers of the protection they have in place. Are they running simpler IT environments or are they more complacent? The study shows a clear connection between firms where there is a higher level of threat awareness, commitment to using security protocols and continued investment in IT security measures. Moreover, in the face of disruptive technologies and mutating internal and external threats, the most risk-aware UK organisations in this study are in no way satisfied with their level of protection. They never regard their vital information assets as completely safe.

Download Now

01 | Vanson Bourne - Things to take into consideration when choosing a Market Research company

Find out more:

Access the full in-depth market research results on IT Security on our website here.

Intelligent Market Research