Why IT departments shouldn’t be responsible for cyber security

By Bill Goodwin
A guest blog post from Malcolm Marshall, partner in KPMG’s Information Protection and Business Resilience practice.
Malcolm Marshall.jpg

We expect cyber attacks to continue to grow in scale and sophistication. The UK’s digital economy accounts for over 8 percent of our GDP – a figure which reflects the necessity for organisations, and their boards, to treat cyber security as a priority.

The internet brings massive potential for business, but of course where there is business – crime will follow.

The motives aren’t just theft, but include on-line espionage of intellectual property and denial of service attacks against companies.

The Government recognises this and only two months ago the Department of Business, Innovation & Skills (BIS) wrote to the chairmen of all FTSE 350 companies inviting them to undertake a cyber governance health check.

What’s increasingly clear is that cyber-security should be a board level responsibility and concern. It may be tempting to delegate cyber security strategy to IT, but to do so is to delegate responsibility for the business’s whole security, as well as that of every customer and supplier.

KPMG’s Data Loss Barometer records almost a 50% increase in hacking incidents recorded by organisations between 2010 and 2012. Our research shows that every single company in the FTSE 350 exposed data on the internet which could be business sensitive.

New technologies such as mobile devices, cloud computing, big data and social media bring real opportunities, but they also bring new risks and potential attack techniques.

Companies need to strike a balance between technology opportunity and cyber threats. Good practice such as anti-virus systems and firewalls are common place, but what’s required is a more nuanced intelligence-led approach which helps an organisation to tailor its security posture to the changing threat, as well as making sure the organisation is well placed to handle the consequences of a cyber incident.

This approach can only be instituted at a board-level.

Many of our largest clients demonstrate a sophisticated approach to cyber security, with the financial sector in particular working to counter global e-crime and the defence sector working to counter sophisticated espionage.

But there is more that needs to be done to counter the threat, and that threat also impacts many other sectors where cyber security has yet to become a board issue.

Small and medium sized firms can also find countering sophisticated threats a major challenge, but they form a vital part of the supply chain and cannot be allowed to become a weak link in our defences.

Via ComputerWeekly.com

Shopping Cart
Scroll to Top