On top of external threats many IT leaders are also battling the growing risk from security breaches from inside their own company.
Independent research commissioned by specialised recruiter Robert Half found almost nine in 10 (87 per cent) Australian CIOs have experienced an internal IT security breach in the past three years, thereby potentially facing a range of devastating financial, operational, and reputational consequences, with the average cost of a data breach to an Australian business being $2.51 million.
According to the research, which surveyed 160 Australian CIOs, the most common types of internal IT security breaches experienced by Australian companies in the past three years are social engineering (48 per cent), information leakage (48 per cent), deliberate cyber-attack (41 per cent) and staff downloading malicious internet content (35 per cent).
Andrew Brushfield, Director of Robert Half Australia said, “While the response to IT security has traditionally been to find the optimum way to protect a business’ assets from external security attacks, companies now face a growing risk in the form of potential internal security threats.”
Many internal IT security breaches take place inadvertently by company employees. Businesses must take a proactive, rather than reactive, approach when addressing their internal IT security infrastructure and policies.
“Maintaining the integrity of internal IT security systems will be essential for the long-term viability of companies as we change the way we work through digitisation.”
While as many as 96 per cent of IT leaders are already implementing a range of security measures to combat internal IT security threats, the research has found Australian CIOs rate their existing employees’ knowledge of potential IT security risks and the company’s security policy an average of 7 out of 10, highlighting there is room for improvement when it comes to raising employee awareness.
“All staff – from senior to junior – in the company need to be aware of the risks associated with email, social media and confidential information. Providing regular training – that go beyond the obligatory email – of all personnel on cyber-security policies and corporate practices will be essential if companies want to have an efficient cyber-security approach.”
The measures CIOs have already taken to enhance internal IT security include conducting an internal IT security audit (41 per cent), conducting security awareness training for employees (39 per cent), implementing secure backup and recovery processes (36 per cent), implementing remote access policies and procedures (35 per cent), and hiring permanent and temporary IT staff to strengthen IT security processes (34 per cent).
Companies should take on a continuous enterprise-wide approach that combines both the technological means and the talent to manage it. This means onboarding skilled IT security professionals, such as IT security analysts, information security officers and IT security engineers, to address sophisticated cyber-security threats – both internal and external
Meanwhile, there’s a common understanding in the sector that enhancing internal IT security is an ongoing process, as 96 per cent plan to take additional measures. The top five internal IT security measures CIOs are planning to take are:
Implementing secure backup and recovery processes (39 per cent), monitoring and logging employees’ online actions (37 per cent), conducting security awareness training for employees (35 per cent), conducting an internal IT security audit (33 per cent), and hiring permanent and temporary IT staff to strengthen IT security processes (30 per cent).
In a further sign of the growing demand for IT security specialists, the 2017 Robert Half Salary Guide has identified substantial year-on-year salary growth for both cyber-security specialists (+6.2 per cent) and IT security specialists (+4.8 per cent), indicating IT security roles are in high demand with companies willing to increase salaries to secure top talent.
“Not only are companies battling their own internal IT security threats, they also have to contend with a very limited pool of IT security candidates in Australia, highlighting that IT security professionals with the most sought-after skills are in a very favourable position to negotiate above-market salary increases,” according to Brushfield.