This growing importance is pushing some companies to change the way they structure IT and security functions to ensure budgets and responsibilities go to the right place.
This is partly due to changes in public perception and partly because of major changes to regulations.
Data losses, whether from Wonga or Yahoo!, have a real impact on business, on reputation and for listed companies can even damage the share price.
Cisco’s annual report of security breaches found strong evidence of the real damage a breach can do.
Researchers spoke to companies which had suffered a breach to see what the actual impact was, and what action they took to ensure it didn’t happen again.
Firstly the damage was real. Of companies which were breached 22 per cent lost customers and 29 per cent lost revenue. These losses can be serious – 38 per cent of those who said they’d lost revenue lost more than 20 per cent of turnover.
Even if the breach is solved quite quickly it can take many months for revenue to recover, and even longer for the reputational damage to diminish.
Content from our partners
For smaller, or struggling, firms this can be enough to tip them over the edge.
Figures from the US-based Cyber Security Alliance found 60 per cent of firms suffering a breach went bust within six months.
The report also looked at what companies did in reaction to the breaches. According to the 3,000 chief security officers surveyed the most common reaction was to improve threat defence and response processes – 90 per cent took this action following a breach.
Improved staff training was implemented by 38 per cent of companies.
Perhaps more surprising was that an identical number, 38 per cent, decided to make changes to business structure as a result of the attack.
The IT department has been the traditional home for cyber security because the traditional tools were software based – firewalls and anti-virus products.
But there is an increasing number of enterprises which are choosing to separate IT and security functions.
This aims to both free up IT but also broaden security and make it an issue for the whole business.
Cyber security is about far more than firewall policies.
It is about ensuring all staff are properly trained which might be an issue for human resources rather than the IT department.
As criminals use ever more sophisticated social engineering whether via email or phone so the need for business to take a wider view of the threat.
This might seem counter intuitive. But putting the same person in charge of the network and security means one must take second place.
It also forces security to take a reactive role instead of being strategic and proactive.
As the security threat continues to evolve so the role of enterprise security needs to evolve.
Security teams must start to think about the next threat and not just react to the last threat because the attackers are accelerating the rate at which they develop new threats.
New approaches to business can increase the risk of cyber crime.
Attackers have many more ways to attack a company’s network than they would have done just a few years ago.
Bring Your Own Device policies mean enterprises need to secure an ever larger number of mobile devices each with their own operating systems, applications and associated security problems. As networks are increasingly integrated with suppliers, distributors and other partners so the available attack vector continues to grow.
But businesses need to embrace these sort of changes to remain competitive.
Equally there are threats from other types of business innovation. HPE and the Ponemon Institute study of cyber security found that business innovations like acquisitions or taking on a major new partner can increase the average cost of cyber crime events by 20 per cent.
Another risk can come new customer-facing applications – launching such an app can increase costs of breaches by 18 per cent. This finding reinforces the need to design in security from the very start of designing new applications or business processes.
But Ponemon researchers also stressed that security concerns must not stop a company innovating – with digital disruption hitting all areas of the economy no business can afford to stand still.
Instead companies need to embrace best-of-breed security as a business innovation in itself.
As the issue continues to become more important so security will be a way to make your company stand out ahead of the competition.
Security will become an enabler of new business and not seen as a brake to innovation.
Of course dividing IT and security is not a magic bullet to all of today’s threats.
Nor does it mean that security becomes ‘someone else’s problem’.
Security needs to be part of every part of the business – from marketing to devops – people need to think about security and privacy from the very start of any project.
This change is also reflected in the big change in regulations coming in the form of GDPR – General Data Protection Regulation.
GDPR will fundamentally change the way companies can process personal information. It requires they justify the collection, storage and processing of data at every single stage.
It also aims to bring transparency by forcing companies to report certain types of data breach – either to regulators or in some cases to the individual people.
The new regulations will bring massive changes to every part of the enterprise.
It will mean security and privacy will have to be part of the conversation for every part of the business, not just IT.
GDPR also increases the risks of getting it wrong. Companies found guilty of failing to properly securing their systems can be fined up to €20m or four per cent of global turnover, whichever is larger.
The deadline is not until May 2018 but firms are already getting systems in place.
The change is a chance for companies to take a deep look at security and privacy and get fit for the future but also to make security a force to push the business forward and not hold it back.
HPE’s guide to GDPR is here:
