Most Businesses Are Too Confident About Data Security


A recent survey of 530 IT decision makers in the U.K. found that 83 percent of respondents are either fairly or very confident that their business is secure against a data breach. Just 15 percent of respondents said they weren't confident, and 2 percent said they didn't know.

However, the Breach Confidence Index [PDF], commissioned by Ilex International and conducted by YouGov in August 2015, also found that just 49 percent of those surveyed said their company hadn't suffered a data security breach.

At the 2015 Cyber Symposium, Michael Fallon, the U.K.'s Secretary of State for Defense, said the cost of data breaches to the U.K. economy had tripled over the previous 12 months to approximately £20 to 30 billion per year.

"With the UK being a leading economic centre and a major target for cyber attacks, the high confidence level is worrying and completely misplaced," Ilex International director of international strategy Thierry Bettini said in a statement. "The Breach Confidence Index shows that businesses have a false sense of security which could result in an increase in security breaches."

According to respondents, the most common weaknesses resulting in security breaches are as follows:

  • Malware vulnerabilities (22 percent)
  • Email security (21 percent)
  • Lack of employee education/security training (15 percent)
  • Cloud applications (12 percent)
  • Insider threats (12 percent)
  • Access control (8 percent)
  • BYOD or mobile access (8 percent)
  • Non-compliance to current regulations (6 percent)

Among large businesses, the concerns shift significantly to a focus on insider threats (44 percent), lack of employee education/security training (42 percent), access control (26 percent), and BYOD or mobile access (24 percent).

"Organizations should include security awareness training as mandatory in security policies and offer regular courses to employees," the report states. "Completely removing human error is impossible, and therefore training should always be combined with security and monitoring technologies to limit risks."

A recent eSecurity Planet article examined the importance of user security training.