Over three quarters (78%) of UK IT security professionals do not have insurance, or do not know if their organisations are insured against e-crime legal costs. This is despite more than half (54%) seeing an increase in the threat level in the last 12 months, according to a new study released today by KPMG.
Just over a quarter (27%) say they have definitely taken out insurance against interruption of business by hackers, while only 27% say they know their organisations are insured against e-crime-related data loss.
Malcolm Marshall, UK Head of Information Security at KPMG, comments: “Businesses should be acutely aware of e-crime risks after various recent high-profile cyber attacks against big organisations. But they aren’t taking out insurance for a number of reasons.
“Not many out there know or understand what insurance is available. Many are also sceptical about the effectiveness of current policies and whether insurers will actually pay out against e-crime claims.”
KPMG and AKJ Associates surveyed 200 senior security decision makers from global businesses including FTSE 100 companies to compile the e-Crime Report 2011.
Lack of knowledge raises risk
Insufficient awareness of the increasingly unpredictable e-crime threat also appears to be hampering organisational response, the research finds.
Two fifths (41%) of organisations say their lack of knowledge of potential vulnerabilities is leaving them open to attack. As a result, half (51%) admit they don’t have, or don’t know whether their organisation has, a strategy for dealing with e-crime risk.
More than half (58%) of CISOs are also experiencing problems prioritising detection and, a similar proportion (54%), the investigation of e-crime incidents.
Marshall continues: “The threat landscape is changing by the day and it looks like organisations are floundering as they try to protect themselves. You need to act fast to create strategies that enable them to prevent, detect, respond and learn from attacks.”
New technology exposes new vulnerabilities
Compounding the e-crime threat, the report also found that companies are opening up new lines of attack as they attempt to capitalise on popular new business and consumer technologies.
Despite almost a third (29%) having already invested in cloud computing and two thirds (65%) in outsourcing, 69% agree that this activity presents the greatest security risk to their vital data. The majority (87%) also single out Software as a Service (SaaS) as increasing their vulnerability to security risks.
Alarmingly, half also believe the internet in its current form does not provide a sustainable platform for e-commerce and e-service delivery.
Other major risk-raisers identified include employees using the same devices for business and personal use (83%) and the use of consumer technology in the enterprise (92%), such as smart phones and tablets.
Marshall concludes: “While innovations like cloud and mobile computing deliver cost savings and efficiencies, security needs to be built in from the start to avoid the risks destroying the benefits.”
|