For the average British company, IT security is a headache.
First, there’s the direct threat posed to the company’s data, IP and reputation. A recent report from the National Audit Office revealed that cyber crime has already cost UK industry billions of pounds, while our threat research labs at Sophos identify over 250,000 new pieces of malicious code every single day, many designed to steal data and finances or provide backdoor access to company systems.
But in addition, there are the demands of managing this threat. The money, time and resources consumed by getting adequate protection in place and keeping it up to date mean that the process of security itself can become a real distraction, and have a real (and negative) impact on the bottom line.
In fact, security management has many UK enterprises running scared — with small, over-worked IT departments forced to spend a disproportionate amount of effort ‘babysitting’ complex security systems.
The IT department should be a company’s secret competitive weapon, driving innovation and growth through the application of new technologies. But because data security has become such a high profile issue, manpower and budget are often diverted towards what is essentially a fire-fighting activity. But is this really the best place to focus IT talent and spend?
I would say definitely not – especially in the current economic climate, anything that hamstrings a company’s ability to innovate and be competitive needs to be urgently reassessed.
As the volume and complexity of threats increase, and the number of user devices to be protected multiplies, I believe that the traditional way in which security is practiced in many UK enterprises has become a significant ‘drag factor’ on business growth, slowing innovation down rather than supporting it. It’s time to change the model and re-think how security is implemented and managed.
Some companies are already doing this. There is an emerging breed of pragmatic enterprises which, by necessity, have discovered that complex issues don’t always require complex solutions – and in fact, in many cases complex solutions aren’t solutions at all. Similarly, when it comes to IT security, good security shouldn’t have to require the undivided attention of the IT team to make it work.