The finding comes from an exit poll taken at a recent breakfast briefing co-hosted by the Reading-based team at Royal Bank of Scotland Corporate & Institutional Banking (RBS CIB) and attended by senior executives from leading technology firms.
RBS CIB's survey found that that nearly one in five firms (17%) had suffered a data security breach in the past 12 months while 37% had dealt with the loss or theft of company hardware and mobile devices such as laptops, BlackBerrys or iPads. Almost 70% said that all company hardware is password protected, though this means a third (31%) are dangerously exposed. And while just over half (52%) of respondents said their firms had a ‘crisis' strategy in place in case of a serious security breach, a quarter (25%) said, worryingly, they did not have any such emergency procedure.
The breakfast briefing discussed the range of cyber threats faced by the UK's technology businesses and the solutions available to them to minimise the risks. Entitled Where's Our Reputation? The Hackers Took it Along With Our Data, the event was also hosted by Meridian Corporate Finance and keynoted by Oxfordshire-based IT security firm Sophos. The event was the first in a series of free-to-attend UK-wide thought leadership events to be run by Royal Bank of Scotland Corporate & Institutional Banking highlighting critical - but sometimes forgotten - business issues such as data security.
Speaker James Lyne, director of technology strategy at Sophos, demonstrated to attendees how simple hackers might find it to break into a computer, and the basic steps technology firms could take to better protect their businesses. Lyne had the following top ten board-level tips for local firms in Reading and the surrounding region:
- Implement a multi-disciplinary security review board to make sure you are considering all aspects of security risk. As a minimum, your security review board should have representatives from the legal, compliance, IT, marketing and executive teams
- Define the incident response plan and practise it before it is too late. Actions in the early moments of a breach make the difference between being seen as responsible or being vilified
- Security is more than a Microsoft issue. Mobile devices, tablets and alternative operating systems like Mac OS X can be the target of attacks or data loss too
- Think about your web presence. Many of the embarrassing breaches of the last year have been data loss or ‘hacktivist modification' of enterprise web sites.
- Hack yourself before they do. Auditing your people, processes and technology security capabilities before the bad guys do will help you identify areas of weakness to prioritise investment in your on-going security programme
- All the right things in the world, but no paper. You can have excellent security controls, but if you don't have the policy framework to document it you will find yourself in hot water. Make sure you have a legally compliant security policy framework
- Don't get hung up on being targeted by the bad guys. Make sure you conduct a risk assessment exercise for your business to understand what could really hurt you
- Consider new computing and business models. Many CISOs their traditional computing relatively under control, but are also amidst casual adoption of the cloud, mobile and virtual systems. These new platforms require you to update your user awareness training
- Partners might not be your best friends. Make sure you implement contractual checks in standard agreements requiring third parties ensure they meet compliance obligations
- Round out security controls without buying a billion new shiny toys. Modern security suites should enable you to adopt new controls like HIPS, DLP, patch, web security and device control capabilities (to name a few) without radically changing your investment profile
James Lyne, director of technology strategy at Sophos, said: "2011 has seen an increasing focus on IT security and a significant increase in the volume of malware and infections. This looks set to continue well into 2012 as cyber criminals and hacktivists continue to take advantage of security vulnerabilities, and the range of new platforms and devices in use expands. As such, it's crucial that everyone on the board, not just the CISO, has an understanding of what they should do as a minimum to protect their company from cyber crime."
Roland Emmans, head of South technology team, RBS CIB, said: "One of our objectives was to open people's eyes to new risk and opportunities. This session certainly hit the mark. The queue of people wanting to speak to James Lyne after the event confirmed this, as did the post event discussions with people feeding back how much the event opened their eyes to cyber security being more than just a Windows PC issue. It was amazing how easily an expert could hack into mobile devices and web pages with potentially catastrophic results."
RBS CIB is investing substantial resources in its technology and telecommunications capability at its regional headquarters in Reading, Berkshire, with the aim to better support the local technology industry. The Computers, Telecomms and Information and Communications Technology (ICT) sector is a substantial part of the local economy: in Berkshire alone, it is the second largest employer (11% of all workers) and represents 12% of all businesses.