Earlier this year, the PWC Information Security Breaches Survey 2014 highlighted the fact that the cost of a breach to an organisation has almost doubled since the previous year.
Average cost to a large organisation of its worst security breach of the year: £600k – £1.15m (up from £450 – £850k a year ago)
Average cost to a small business of its worst security breach of the year: £65k – £115k (up from £35 – £65k a year ago)
The rising cost of a breach has forced organisations to spend more on information security. The report found that large organisations now spend on average 11% of their IT budget on security, and that small businesses spend more of their IT budget on security than large ones with an average of almost 15% of their IT budget.
Spending in the right places?
As more organisations start providing the funds needed for better security, it’s easy for that money to be used inappropriately. Without guidance on where to spend new funds, organisations may find themselves overspending on ineffective solutions, or underspending and thus reducing it for the next year.
If you’re lucky enough and your organisation understands the need for effective information security, then you ought to do it right. Passing this money over to IT and letting them do what they want with it isn’t necessarily a good choice. IT may know what they’re doing but effective information security depends on the whole organisation, and needs buy-in from every department.
So what is the right place?
Those organisations that want to get ahead of cyber criminals are increasingly turning to the international best practice standard for information security, ISO27001.
ISO27001 has attracted the likes of big names such as Google, Amazon and Microsoft. ISO27001 isn’t designed solely for large organisations, though: in fact, it can be implemented into the smallest types of business. Read our case study on Workforce Metrics, a micro-business that achieved ISO27001 certification in only three months for under £5k.
If you are keen to learn more about ISO27001 and how it can help your organisation survive, then I strongly suggest you look at the following pages: