KPMG: UK businesses not taking cyber security seriously

Top level staff in UK businesses are not taking the threat of cyber crime seriously enough, a report has claimed, opening the doors for channel players to play an educating role by establishing a ‘business partner’ relationships with top staff.

According to professional services firm KPMG, many businesses are unprepared to deal with wide ranging security threats they currently face. A report from the group highlights that 15 percent of Forbes 2000 companies surveyed allow hackers easy access to private login details on corporate website. The report claims that many websites owned by prominent companies contain meta-data from which private information can be gleamed, including email addresses and potential user names.  Such information can be used to formulate further attacks on  the company.

KPMG’s Head of Information Protection and Business Resilience, Stephen Bonner said that criminals are benefiting from the lack of  cohesive strategy to protect against cyber crime, with a lack of awareness at boardroom level of the potential risks.

“It does seem that with our economy in a state of sluggish growth cyber crime is the one area bucking the trend as a shady growth industry,” Bonner said. “My worry is that boardrooms up and down the country are only slowly wising-up to the threat and understanding the damage that can be inflicted on operations and reputation if they fail to create the appropriate defences.”

Bonner thinks that currently, too much is left to IT departments to develop a security strategy, with a security breach having potentially disastrous consequences for a company’s long term stability as well as putting customers and suppliers at risk.  He claims that more is needed to be done to ensure that all types of employees are aware of the potential dangers, such as alerting top level staff to potential dangers.

“It’s true that many successful cyber risk frameworks begin within IT, but as these gain momentum and scope they usually take responsibility for broader issues like privacy and data quality,” Bonner said.  “At that point, they should surely become a governance function that needs to be separate from IT.  Anything less runs the risk of losing an independent eye ensuring everything remains on track.

According to David Caughtry, director of core technology at Computerlinks, the channel can help in providing guidance for companies to prepare a cyber security strategy.

He said that there are a couple of reasons why KPMG could perceive businesses aren’t taking security seriously enough. Firstly, he explains, it depends on their appetite for risk, with many business leaders averse to spending on security – with financial sanctions for data breaches relatively small.

“Often, the fines imposed for not complying with data security standards pale into insignificance compared to comprehensive protection against potential security threats,” Caughtry said. “Though most would argue that prevention is better than cure, those organisations with a higher appetite for risk may choose to chance it in order to save money.”

The second reason, Caughtry said, is one of attitudes within the channel. The channel has traditionally sold products and services to IT managers rather than reaching out to the CEO or board, but a change of approach could be beneficial for resellers, engaging with a wider spectrum of staff.

“In order to raise awareness of the risks to businesses, channel partners need to migrate from a purely technical role to one of a business partner when it comes to data and IT security,” he continued.

“This way, the business as a whole will begin to understand the potential consequences that can come with ignoring potential cyber security threats,” Caughtry said.