The research, suggests BT, "highlights that UK businesses are lagging behind their US counterparts in crucial areas." The results show a consistent theme of US business being more concerned about cybersecurity threats than UK business. While relatively few respondents believe that their CEOs consider security 'an absolute priority' (Brazil is highest, with 52% of respondents), the UK lags far behind on 17% compared to 41% in the US.
One reason could be that UK managers simply do not understand security: while 86% of US directors and senior decision makers receive IT security training, only 37% do so in the UK. But while the US respondents recognize that their senior management takes security more importantly than do the UK respondents, nevertheless they still believe they do not take it seriously enough. While 55% of UK IT decision-makers believe their boards underestimate the importance of cyber security, this increases to 74% in the US – indicating that security is given a higher priority in US IT departments as well as US boardrooms.
Interestingly, despite this survey being conducted well after the Snowden leaks commenced, and despite repeated assertions from the NSA and GCHQ that this will lead to increased terrorism, terrorism is low down on the list of perceived increasing threats for the next 12 months.
Most respondents considered the non-malicious insider to pose the greatest threat. An example could be the loss of personal information under the care of the company – and it may be a reflection of growing awareness of data protection, and increasing sanctions for breaches of data protection. The European Union is leading the way in this, and is threatening to introduce fines of up to 2% of global turnover for data breaches that could actually emanate from a non-malicious insider. Even here, however, the risk is considered greater in the US (65%) than in the UK (51%).
Hacktivism is thought to be the next most serious threat, followed by the malicious insider, organized crime and the nation state. Terrorism is thought to be the least likely to pose an increased risk over the next year: 39% in the US and 38% in the UK.
The consistent difference in attitude towards security between the UK and the US suggests either of two possibilities: that the UK underestimates the threat, or that the US overestimates the threat. There are few in the security industry that will believe the latter.
“US businesses should be celebrated for putting cyber security on the front foot," suggests Mark Hughes, CEO of BT Security. "The risks to business are moving too fast for a purely reactive security approach to be successful." He believes that an effective approach to security must come from the board downwards – cyber security should not be seen as an issue for the IT department alone. “As the threat landscape continues to evolve, CEOs and board level executives need to invest in cyber security and educate their people in the IT department and beyond. The stakes are too high for cyber security to be pushed to the bottom of the pile."