Information security in companies: option or obligation?
Nowadays on the internet there is a lot of information, e-commerce, digital companies, social networks, among many other things. Therefore, there are many threats and attacks that put at risk all these platforms, including companies already formed. However, there are companies that do not care about the security of their data, according to the results of a research conducted by Deloitte, called Future of Cyber conducted in 2019, this reflected that many cyber organizations face the challenge of their own ability to better prioritize cyber risk across the enterprise. So, throughout this article we will highlight some concepts such as computer security, its importance and some reasons why some companies give low priority to the security of their information.
Year after year, cyber attacks continue to grow in terms of frequency, severity and impact, resulting in increasingly inefficient methods for prevention and detection. Many organizations do not know what to do or do not have the necessary resources to combat them. In 2016 alone, the increase in detected incidents affecting information security was 36%.
Likewise, a study carried out in the United States, where it is highlighted that 98% of the intrusions to the systems or technologies of the information are unnoticed and that of the 2% that, if they are detected, only 5% are reported. Within companies, information neglect still requires attention.
First we must take into account what computer security is and what its importance is. It is able to define the computer science security like the discipline in charge to raise and to design the norms, procedures, methods and techniques with the purpose of obtaining that a system of information is safe, reliable and mainly that it has availability.
Its importance is given since the main task of the computer science security is the one to minimize the risks, in this case they come from many parts, can be of the entrance of data, of the way that transports the information, of the hardware that is used to transmit and to receive, the same users and even by the same protocols that are being implemented, but always the main task is to minimize the risks to obtain better and greater security, therefore, the data to be so exposed has a very great danger to lose much of the information that may be stored and also runs the risk that this information to be violated can be malicious and used for future attacks, not to mention the loss of capital.
So why are there still companies that do not care about computer security?
It is necessary to consider that different external agents exist by which the companies handle a low attention towards the informatics security other people’s to the simple fact of the low preoccupation on the part of the organizations. Some of these agents are:
- Low budgets for cybersecurity: The visibility of the problem of cyber-risk and information security continues to increase, with consolidated Information Security functions and increased budgets. According to the vision of the executives of cyber-risk and information security, there is still a deficit of resources and budgets to be able to cover the needs and requirements of the business. Nearly 60 percent of security professionals say they do not have the budget to combat attacks. The amount, which most companies allocate to cybersecurity, of their information technology budgets is typically 10 percent or less, which is not much, according to security firm LogRyhthm.
Low budgets for IT security are also a problem in universities. Eighty percent of educational institutions do not have any software installed on their systems to protect against malware violations. And nearly 3 out of 4 schools say money is the main factor in getting adequate protection.
- Low use of KPIs: less than 10% of organizations have a dashboard (KPI) to evaluate cyber risk and information security management. As the Deloitte research explains, having key performance indicators (KPIs) for cyber risk management and information security is a challenge that executives have not yet been able to address. As a counterpart to increased budgets and visibility of information security, organizations need to have indicators that allow them to understand the level of risk they are exposed to and the quality of management. Likewise, these indicators must be not only to facilitate the management of the Area itself but fundamentally to be understood by the business.
- Low cyber security staff: According to the Deloitte research, 47% of organizations have only 1 to 5 people dedicated to cyber security. The size and amount of human resources dedicated to cybersecurity and risk management is highly related to the size of the organization, how regulated the industry is where the organization operates, and fundamentally the scope and activities that the Area develops. Organizations are turning to third parties to manage certain facets of their cyber operations. According to 65 percent of CISOs surveyed, 21 to 30 percent of total cyber operations are outsourced, and nearly half (48 percent) of CISOs select internal threat detection as a primary function that they rely on third parties to manage.
- Unqualified and outdated security tools: Three-quarters of security professionals do not believe that purchasing all available data security tools will fully protect their organizations, according to Tripwire. But hackers have the ability to easily access that information. Only 40% of institutions implement network protection technologies according to the Deloitte survey.
- Low Cyber-Risk Incident Response Capabilities: Nearly 4 out of 10 organizations do not have specific capabilities, tools or procedures to respond to a security breach. On the other hand, only 1 out of 4 organizations has implemented technology and processes to respond in an orderly and fast manner to the occurrence of a security breach.
After analyzing this information we can conclude that in reality it is not a question of low attention on the part of the companies towards the computer security measures, but that these often present certain limitations that prevent them from being able to develop these security measures. However, we have already learned the importance of keeping these security measures in mind, since they are the ones that can help reduce the impact of cyber attacks on organizations and therefore have the least possible loss.