Deloitte report warns businesses not to be overconfident in their cyber safety
8 January 2013
Cyber security experts at Deloitte, the business advisory firm, are warning that when it comes to cyber attacks it is not a question of ‘if’, but a question of ‘when’, as a new study shows 88% of companies in Technology, Media and Telecommunications (TMT) don’t think they are vulnerable to an external cyber threat.
In Deloitte’s sixth annual Global TMT Security Study 68% of companies said they understood their cyber risks and 62% had a programme in place to sufficiently address them. Yet in the past year, over half (59%) said they had knowingly experienced a security incident. With this many successful attacks, companies should treat breaches as inevitable and invest significant time and effort in detection and response planning, so that they can bounce back quickly when it does happen. Despite this importance, only half of companies have this planning in place.
The human factor
Companies rated mistakes by their employees as a top threat, with 70% highlighting a lack of security awareness as a vulnerability. Despite this, less than half of companies (48%) offer even general security-related training. Worryingly, 49% also said lack of budget was making it hard to improve security. The impact of employees’ actions - or rather inaction - cannot be overstated and it is important they are aware of their responsibilities. This is even more significant given the proliferation of people’s own devices entering the workplace.
Bring your own
Today’s smartphones and tablets are powerful enough to handle most business activities and it is now common for employees to use their own devices for work. This intermingling of access to business data and use of personal software applications in one device make mobile devices a prime target for hackers and provide new entry points for attack. This territory is just being charted and only 52% of TMT companies have a bring your own device (BYOD) policy in place, so it is unsurprising that three quarters (74%) of respondents considered the increased use of mobile devices as a vulnerability.
It’s who you know
A major concern for TMT companies was the security of the businesses they work with. In today’s hyper-connected world organisations are more reliant than ever on third parties. Sensitive information can often be found in the systems of businesses that support the supply chain and other business operations. Seventy four per cent of respondents said they were worried about these businesses being breached, so it is vitally important that organisations work with their third parties to understand and improve their security practices, rather than rely on contractual agreements on security.
Who’s watching you?
A major and relatively new threat is ‘hacktivism’, which combines social or political activism with hacking. Protesters who, in the past, might have blocked access to a business by staging a sit-in might now block access to its on-line operations through a denial of service attack. Effective handling of a hacktivist attack requires advance preparation, both from an IT and public relations perspective. Fortunately, our survey shows that TMT organisations are taking steps to get better awareness of cyber risk: 55% of organisations are starting to gather general intelligence about these and other types of cyber crime, although just 39% are gathering information about attacks specifically targeted at their organisation, industry, brand, or customers.
Planning for the future
Encouragingly, having a security strategy and roadmap topped the list of priorities for companies, implying that TMT organisations now recognise that being secure is smart business - not just a regulatory requirement. In addition, companies said the most important consequence of a security breach now is that customers will complain. People now have an understanding of security and little tolerance for mistakes - especially when their data is being held or they rely on a service.
James Alexander, lead partner for TMT security at Deloitte, said: “Cyber attacks are now so sophisticated and commonplace that it is impossible to be fully protected. Companies need to act as if a breach is inevitable and have a documented response plan in place so they can react when it does happen. Unfortunately not enough companies are doing this so we think companies are being overconfident in their resilience.
“Companies must also embed a culture of cyber security in their staff. This is easier said than done, but each employee holds the keys to the castle and must understand that responsibility. Spreading a secure culture should also extend to the businesses that companies work with and companies need to collaborate to ensure strength across organisational boundaries.”
Note to editors
Respondents by sector:
About the TMT Global Security Study:
The goal of the Deloitte Global Security study is to provide TMT companies with insight into the security and privacy challenges and threats that they currently face or will face as an industry. The study is developed based on the results of interviews with security executives of 121 TMT organizations from 38 different countries representing every geographic region. The study surveyed participants from all three TMT sectors and with respondents spanning the full range of revenue categories.
In this press release references to Deloitte are references to Deloitte LLP, which is among the country's leading professional services firms.
Deloitte LLP is the United Kingdom member firm of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private company limited by guarantee, whose member firms are legally separate and independent entities. Please see www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and its member firms.
The information contained in this press release is correct at the time of going to press.
Member of Deloitte Touche Tohmatsu Limited.