The necessity of effective IT governance

Organisations can often run into trouble when it comes to effective IT management, especially when IT needs to be used for reaching business goals.

IT governance, a smaller subset of corporate governance, is focused on information technology and the underlying performance and risk management of IT. With strong IT governance measures in place, a business is able to use IT to achieve key goals effectively.

This article will explore the necessity of IT governance, how it can be used in a business environment and several of the steps necessary to put stronger practices in place.

It should certainly become a focus for businesses in the near future, given the growing role of IT systems and processes among organisations.

An understanding of IT governance

Businesses, both small and large, are becoming increasingly dependant on IT for nearly every area of operations. Whether for enhancing communication among workers, increasing collaboration or reducing costs across the board, IT is now key to the long-term plans of many companies.

IT has quickly moved from a secondary consideration to one that's firmly at the forefront of many decisions, and as such governance of IT is now part of broader corporate governance.

As governance essentially revolves around who makes decisions within the corporate structure, and as such who is responsible, it's important that IT be clearly understood. IT needs to be transparent for those within the company, with policies that are understood and easy to access.

With clear and effective governance over time, businesses are able to build an IT focus that supports wider company goals, and is able to adapt to any necessary changes.

In addition to this, IT will be able to stick to a defined budget structure and establish the best IT practices for those within the company across the board.

As IT is now a leading consideration for businesses, it's essential that management practices are clearly defined and implemented throughout the structure. Because IT can be a difficult area for businesses to understand, the policies need to be clear and transparent.

Steps to ensure effective governance

Once the importance of effective IT governance is understood, it's time to turn to the best practices for actually implementing governance strategies.

There are several key areas that need to be focused on, outlined below.

1. Responsibility – It's vital that the governance structure within the organisation focus on IT project results, as opposed to implementation and project management endeavours.

2. Transparency – Because IT can be a foreign area for many within the company, transparency of structure and process is essential. It's important to place a focus on who has decision making rights, and communicate this to those within the wider company.

3. Accountability – Building off the above two points, accountability involves ensuring that any committees or leaders assigned to IT governance are accountable for any objectives they've been assigned. In the case of any issues as a result of mismanagement or failure to perform, there needs to be clear escalation methods in place.

Training

It's important to never underestimate the value of IT governance training, as it's able to effectively communicate and teach many of the practices outline above. If an understanding of governance is stressed through effective training, it's likely that IT will become a far easier endeavour for companies.

Control Objectives for Information and Related Technology (COBIT) is framework that's able to effectively teach an understanding for IT governance, as well as information technology management.

By undertaking COBIT 5 training courses from a leading provider such as ALC Training, businesses can build an end-to-end view of IT governance, one that's able to reflect the central role technology plays within the business.

Senior leaders ‘should be involved in IT security issues’

CEOs and senior executives must take IT security measures seriously to ensure businesses are protected from the growing threat of cyber attacks.

This is the upshot of recent analysis by global management consultancy McKinsey & Company, which outlined the importance of ensuring the C-Suite leads from the front line on cyber security issues.

The organisation said not enough is being done to protect mission-critical information assets, despite senior executives being well aware of the risks of falling short in this valuable area.

McKinsey noted that many businesses are still facing a number of obstacles, including the difficulty of changing user behaviour.

“For many institutions, the biggest vulnerability lies not with the company but with its customers,” the organisation stated.

“How do you prevent users from clicking on the wrong link, allowing their machines to be infected with malware? How do you stop them from transferring incredibly sensitive information to consumer services that may not be secure?”

Offering IT security training

One way to better educate employees is to conduct comprehensive information security training, with a number of extensive courses available to overcome potential risks.

According to McKinsey, pushing change in user behaviour should be a priority for senior managers hoping to build up ‘cyber resiliency’ in a modern business environment where threats are becoming increasingly common.

“Given how much sensitive data senior managers interact with, they have the chance to change and model their own behaviour for the next level of managers,” the organisation said.

Some simple steps can begin this process, including being more careful when sending documents from corporate to personal email addresses.

Senior executives must also create enough airtime to communicate to front-line staff the importance of protecting the company’s information assets.

Improve strategic decision-making

Businesses were also advised to consider cyber security risk alongside other kinds of risk. As such, they should assess the organisation’s appetite for loss of intellectual property, disruption of operations and disclosure of customer information.

Once these decisions have been made, management teams must communicate with cyber security professionals to help prioritise existing data assets and gauge trade-offs between operational impact and risk reduction.

However, effective IT governance training might also be required. McKinsey noted that regardless of how comprehensive a set of cyber security policies are, some employees may try to work around them.

“Senior management obviously needs to make sure that policies and controls make sense from a business standpoint,” the organisation said.

“If they do, senior managers then need to backstop the cyber security team to help with enforcement.”

In addition to governance, granular reporting is suggested to track how the company is performing against pre-defined targets across the IT security program.

The importance of senior executive buy-in

Research conducted by McKinsey in conjunction with the World Economic Forum showed that senior management time and attention was the most important factor in mature cyber security initiatives.

This meant it had more of an influence on success rates than company size, resources provided and industry or sector.

The data supports a similar survey conducted last year by Frost & Sullivan, in which 69 per cent of respondents confirmed their CEO is now a decision maker regarding IT security issues.

Senior executives from across south-east Asia were polled, with 40 per cent stating the chief executive is the central decision-maker on such matters.

Edison Yu, associate director, ICT Practice, Frost & Sullivan Asia Pacific, said: “More and more firms are realising that security is not the remit of the IT department alone.”

“The impact of a security breach on business is real and broad, and management wants to be proactively involved in preventing it.”

Arm your team with a CISSP certification

Are you an IT professional ready to take advance your expertise? Or are you a senior executive who wants your IT team to have the most up to date qualifications? Sign up to ALC Training’s CISSP course, a comprehensive 5-day course for IT professionals. Our CISSP training covers the 8 domains of the CISSP Common Body of Knowledge to prepare you for the CISSP exam. 

Employees ‘biggest threat to IT security’

Businesses worldwide are recognising that employees are one of the biggest threats to IT security, new research has revealed.

A survey of 250 IT professionals conducted at the Infosecurity Europe 2014 event noted that 44 per cent of organisations felt staff ignorance was a problem that could lead to breaches.

This compared with 20 per cent of respondents who argued that malicious insiders were the largest potential threat to business systems.

Overall, 70 per cent of participants listed employees as the most common shortcoming in their IT security plans, while 20 per cent cited current processes and just 9 per cent said technology.

The poll, which was conducted by AppRiver, largely quizzed IT professionals from the UK and the US, but the results have ramifications for countries worldwide, including Australia.

Earlier this month, a Ponemon Institute survey found just 40 per cent of Australian businesses were educating their staff on cyber security risks. Only Brazil had lower IT security training participation.

Troy Gill, AppRiver senior security analyst, said new threats are hitting businesses every day and employees must be prepared.

"We've seen a dramatic increase in phishing attacks since the beginning of this year, with many proving successful, which is a classic example of how an unsuspecting user can unwittingly put the organisation at risk," he said.

"Educating users to these types of attack vectors is just one element of effective remediation."

Aside from training, Mr Gill also recommended removing suspicious electronic packages from mailboxes automatically to ensure no one opens them and releases potential viruses.

When the same survey was completed last year, many US organisations blamed external influences, which indicates the shift in attitudes regarding IT security threats. 

In 2013, Mr Gill admitted it is hard to plan for employee ignorance, but training and automation help mitigate many of the potential risks businesses face.

BYOD security crisis on the horizon?

Bring-your-own-device (BYOD) policies have become increasingly popular in organisations across the world, bringing flexibility and productivity gains to many.

However, a new report has suggested that BYOD could be a ticking time bomb in terms of IT security, with many businesses failing to adequately consider the risk of mobility.

The ‘BYOD and Mobile Security’ survey, sponsored by Vectra, saw 1,100 members of LinkedIn’s Information Security Community surveyed regarding the current trends and challenges affecting modern companies.

According to the results, the primary reasons for introducing BYOD schemes are to improve employees’ mobility, job satisfaction and output.

BYOD is still under evaluation at 31 per cent of firms, although 40 per cent said company-owned devices are widely used. Unfortunately, 21 per cent admitted staff using their own devices despite the lack of a supporting BYOD framework is common.

Without the right IT security training, unmonitored use of employees’ personal devices could become a significant problem for organisations.

In fact, 67 per cent of respondents claimed they are concerned about loss of data due to lapses in BYOD policies. Fifty-seven per cent said unauthorised access to commercial information and systems is a worry.

Other issues raised were users downloading apps and content with embedded security problems (47 per cent), malware infections (45 per cent) and lost or stolen devices (41 per cent).

The biggest negative impact companies experience from mobile security threats is having to allocate more resources to cope, with 30 per cent highlighting this as an issue.

Corporate data loss and theft (16 per cent) and increased helpdesk time for repairing damage (14 per cent) are also concerns.

BYOD and IT security training

The security drawbacks of BYOD policies have been recognised for some time. Last year, Gartner noted the mobility trend will create a need for more protection on business and consumer devices.

Rugerro Contu, research director at the organisation, said more people using personal smartphones, laptops and tablets at work matches a rise in BYOD security solution demand.

“The current awareness of security and its impact on users of mobile devices is likely to change,” Mr Contu explained.

“Gartner expects attacks to focus increasingly on mobile platforms as they become more popular.”

The International Data Corporation (IDC) said Australian chief information officers are also becoming more aware of the risks of mobility.

IDC data last year showed 75 per cent of Australian businesses expected to use mobility technologies by the end of 2014. The company said this brings a number of complex challenges when considering deployment and integration of BYOD policies.

Raj Mudaliar, senior analyst of IT services at IDC Australia, said: “Enterprise mobility solutions are increasingly becoming a part of enterprises’ IT road maps to enable a […] richer customer engagement platform.

“BYOD is further exacerbating this shift by acting like a catalyst for adoption.”

According to the Vectra research, companies are dealing with the threats of BYOD policies in a number of different ways.

The highest majority (43 per cent) are using mobile device management, while 39 per cent are utilising endpoint security tools. However, 22 per cent are doing nothing.

Earlier this year, Senior Research Analyst at GFI Software Doug Barney stated that employers must take the initiative when it comes to BYOD, adding that IT security training is vital for maintaining best practice.

“Policies are all well and good, but they only work when backed up with training,” he noted in an article for TechRadar.

“Users should understand how to create strong passwords and regularly change them, how to lock a device, how to manage security settings, how to use encryption, and how to handle company data.”

Cloud spending push highlights need for new technology considerations

Cloud spending has recently broken the US$4 billion mark in the EMEA, according to a new study from the International Data Corporation (IDC) released on July 17.

The report found that cloud is a major disruption factor within the EMEA market, and is having similar effects to those seen in other countries around the world. New cloud technologies are accounting for a growing portion of hardware spending and influencing vendor strategies.

It's highly important that businesses understand the value of the cloud, especially given the benefits to operations.

Following adoption of a cloud document storage system, for example, data is kept safely offsite, and can be accessed from a variety of devices where and when required. Other systems include cloud-based video calling and collaborative document editing.

The IDC report explored exactly how the cloud is changing businesses, and what implementation can offer. The radical departure from previous systems certainly can be difficult to understand, but adequate training is a useful solution.

"Along with Big Data, social, and mobility, cloud represents one of the four pillars of IDC's 3rd Platform vision – the new paradigm of IT usage that is revolutionising the way technology is adopted in commercial and consumer environments," said Giorgio Nebuloni, a research manager at the IDC.

He went on to explain that hybrid cloud will likely become the system of choice for businesses, given the flexibility this solutions offers over a fully public or private approach.

"Hybrid cloud allows customers to retain sensitive data behind a corporate firewall while still taking advantage of cloud-related lower costs," he said.

IT project management training is highly useful when it comes to education about the benefits of the cloud, as all required levels of the organisation can gain an appreciation for what the technologies offer.

As cloud hardware and software continue to be a disrupting force, it's essential to understand the importance of education.

Building a future-proof IT strategy

IT has moved to become a top business priority for most organisations over recent years, affecting areas such as productivity, collaboration and overall business operations. It's now essential that considerations are given to future-proofing the IT strategy of a company, and ensuring every facet is fully explored and understood.

An outline of the current state of IT, what needs to be accomplished over the next few years and the key areas of focus will be detailed below. A comprehensive IT strategy should become the next major priority for organisations.

The current state of IT

IT future-proofing can often appear difficult for businesses, especially given the constantly changing nature of the underlying technologies. As such, it's often not hard for a culture of indifference to bred within organisations, and IT subsequently pushed to the background of developments.

It's going to be important to create forward-thinking strategies as IT becomes increasingly important for productivity, collaboration and cutting down expenditure.

Businesses should assess the strategies of government agencies, such as the NSW State Records Initiative. This department is future-proofing IT by creating digital record keeping systems and promoting the digitisation of state records. 

An outline of what needs to be done

Strategies can seem difficult to put in place, but by breaking down the key areas of focus businesses can ensure every area has been taken into account. Attention needs to be placed on information, security and mobile technologies. Of course, companies may need to adapt as new technologies or trends begin to have an impact on organisations.

Here are three key areas of IT that businesses need to pay attention to in the near future.

An information approach

Moving to a new information management system can often be one of the more extensive changes a business makes to operations, but it's a vital part of ensuring security and efficiency over the long-term. An information approach entails managing discrete pieces of content rather than documents themselves.

This approach is especially useful for cutting back on printing and unnecessary data duplication. Basically, data is created in one location, and subsequently used wherever needed. Instead of being required to print documents multiple times, a digital alternative is accessible from computer systems throughout the organisation.

Focusing on security

Perhaps one of the most overlooked areas of an IT strategy, security needs to become a primary area of focus, especially due to the ever-expanding number of threats.

Outside attackers are only becoming more proficient at breaching secure business networks, and inaction on the part of the company can result in costly data breaches. These can often lead to financial damage and a stained reputation among customers.

IT security training is the best option here, as it ensures staff at all levels of the organisation understand the necessity of security.

Understanding mobile

Mobile devices represent perhaps the biggest technological leap forward for businesses, given the accessibility for both SMEs and large enterprises.

Defining the role of mobile is key, as a clear goal is able to ensure the organisation understands why the devices are used, and what benefits they offer.

The Cisco Visual Networking Index, released earlier this year, found global mobile data traffic to have grown 81 per cent in 2013, with the number of connections continuing to grow throughout the year. As such, it's crucial that appropriate considerations are given to mobile devices, and their roles within the business.

Conclusion

Training is one of the best ways for organisations to prepare for change, and should be at the forefront of business planning. With a focus on training in areas such as IT project management and IT security, staff can understand why certain technologies are useful for the enterprise, and the best methods of implementation.

As training can be utilised at all levels of the organisation, even business executives can be taught the necessity of various technologies, and the value of a future-proof IT strategy.

3 ways to effectively educate employees

Education is an essential facet of modern business operations, especially when staff need to take on new skills. The issue that's often faced is educating effectively, and ensuring that staff have taken on the necessary skills.

Commonly, changing circumstances such as evolving cyber risks can require further staff education. By undertaking information security training courses, for example, staff are aware of the practices required to prevent security threats.

Here are three tips to ensure effective staff education.

Optimise employee strengths

There's no denying that staff will have different skills within the organisational structure, and it's important to ensure these skills are fully utilised. Building on these skills can help to establish a workplace where staff are able to adopt different roles, or fill in as required.

This type of training can be useful in constantly changing business environments, as the workforce will be more adaptable.

Set goals

When large training programs are undertaken, or specific courses are put in place to teach particular skills, it can be easy to lose sight of exactly what needs to be accomplished. For example, an IT security training course may be led astray, incorporating unnecessary elements that only serve to waste time.

A set of clear goals is able to keep the education process aligned while it's undertaken, ensuring staff can learn effectively.

Ensure constant training

While one-off training courses are sometimes required for learning new tools or applications, the value in ongoing training in detailed subjects cannot be overstated. For a topic such as IT security, for example, frequent refresher courses can ensure staff are kept aware of the latest threats, and the required prevention measures.

Refresher courses are also extremely useful to keep staff engaged in particular topics, as the frequent education is able to build interest.

By understanding how to effectively educate staff, businesses are in the best position moving forward. Many may want to consider the value of a comprehensive training course.

Building an effective IT strategy

The role of IT has grown over the past few decades to become a substantial part of business operations for most companies. Now, a substantial amount of technologies and processes are used throughout the vast majority of organisations.

To ensure comprehensive management of IT, an effective strategy needs to be implemented across all levels of staff. The question is, how should this process be undertaken?

Defining the strategy

An IT strategy can be most clearly defined as a process employed by businesses to ensure success through IT implementation. Due to the benefits that new technologies offer organisations, coordinating efforts into an effective strategy offers the best chance of success.

"Although some or all tasks involved in creating the IT strategy may be separate, […] IT strategy it is an integral part of the business strategy," explains research organisation Gartner in its online IT glossary.

Clarify and communicate

Once the goals of the strategy have been defined, it's necessary to clarify and communicate to staff. While this may seem difficult, it's actually a relatively simply process.

Clarification is important, and needs to focus on broad understanding across all levels. It's all too common for strategies to be expressed as executive level statements that most staff cannot understand, making them inaccessible. An IT strategy should have clearly defined objectives and provide clear direction.

Following clarification, communication needs to become the next step. Organisations can often struggled to communicate effectively, and are usually disjointed across all departments. It's important that discussions occur at each level of the company, effectively communicating the IT strategy to different departments and staff.

As such, the strategy is clearly understood by every member of the organisation.

Taking advantage of a workshop

A workshop from ALC could be the best method of IT strategy implementation, as it's able to outline and explain the tools businesses require to formalise and deliver a strategy.

In an environment of different stakeholder needs, a workshop is almost certainly the best option for businesses.

A breakdown of COBIT 5 courses

IT is rapidly changing businesses around the world, enabling greater marketplace flexibility, agility and performance. In addition, it's also helping to drive operational costs down. Of course, with the push for IT comes risk, and the need for training.

IT governance is defined as a set of processes that enable a business to reach goals through effective and efficient use of IT. As a subset of corporate governance, it also deals with performance and risk management. Control Objectives for Information and Related Technology (COBIT) is a framework that can ensure staff are given the best possible information when looking to achieve IT governance.

It's now essential that businesses and IT professional invest in proper training in frameworks such as COBIT. Here are several COBIT 5 courses which ALC Training offers, that you should consider undertaking to place yourself and your organisation in the best position.

Foundation courses

The first option is a three day course that's essential for staff new to COBIT 5 and IT governance in general, as it provides an overview of the framework and the components. For staff who are already familiar with the principles and frameworks, a two day course is available that spends less time on case studies and examples.

These initial courses serve as the jumping off point for training, before staff head onto more complex initiatives.

Implementation

Following the initial foundation course, it's time to move onto an implementation program. By undertaking the next stage, staff are able to gain a practical appreciation of COBIT 5, and how it can be applied to various trigger events, risk scenarios and problems within a business.

The key focus of implementation training is on how to apply COBIT 5 to an enterprise in different implementation scenarios. As businesses are constantly changing, having the adaptable framework on hand is essential.

Risk management

IT risk can occasionally be mislabeled as purely an information security concern, when it fact it actually impacts the entire organisation across all activities. It's easy to see why, as IT risk is essentially just any risk related to information technology, which is often in use throughout the business.

By understanding IT risk, and being able to manage the issue better, businesses are able to see improved performance. The COBIT 5 for Risk program is designed for risk professionals, as well as other interested parties within the enterprise.

Assurance

This course is designed for a more broad business audience, encompassing assurance professionals at both management and governance layers. Boards and audit committees are also included here, along with business and IT management stakeholders.

Further practical guidance is also provided here on planning, executing and following up on assurance reviews, through use of a road map. This map is designed based on accepted assurance approaches.

Strategic Overview

This final program is designed for a more senior audience, beyond the programs listed above. Commonly, board level, C-suite and other IT and non-IT staff are included here. This program is designed to provide a more broad strategic understanding as to how COBIT 5 covers businesses, and can enable effective management and government of enterprise IT.

Due to the scheduling requirements of higher levels of staff, the presentation time is customisable to suit.

Contact ALC Training today if you'd like more information COBIT 5 training, to put your staff in the best position moving forward over the next few years. The advantages of this training mean IT departments are more capable and ready to adapt to change.

Why you should consider an introductory course for ISO/IEC 20000

The rapidly evolving IT environment requires businesses to remain on top of the necessary skills and standards, in order to ensure compliancy and effective management.

The role of ISO/IEC 20000

Understanding the international standard for IT service management, ISO/IEC 20000, may seem a difficult task, but it's actually straightforward when broken down. ISO/IEC 20000 describes an intergrated set of processes designed for management, which ensure effective service delivery to businesses and customers.

ISO/IEC 20000 can be used to fill a number of requirements, including:

The history of ISO/IEC 20000

ISO/IEC 20000 was first released in 2005, following development of earlier standards such as BS 15000 from 2000 through to 2002. The series was designed to apply to both small and large service providers, and meet the requirements set forth for service management.

Essentially, the standard can ensure the best possible service is delivered to customers within predetermined resource levels.

An introductory course to ISO/IEC 20000 is the best way to approach the standard, and ISO/IEC Fundamentals is ideal. By completing the three day course, participants will ensure they have a solid knowledge of the fundamentals – invaluable over the next few years.

Once the course has been taken, organisations that have aligned with the standard will be able gain a greater alignment between IT services and business strategy, along with the creation of a framework for service improvement projects.

ISO/IEC 20000 needs to be considered in the near future, as it's able to significantly benefit business operations.

CIOs need to prioritise digital business technologies

Digital business technologies are changing how organisations operate within the marketplace and will soon require CIOs to ensure the organisation has a clear position, new research has revealed.

This came as part of a study from analytical organisation Gartner, which identified emerging technologies such as the Internet of Things (IoT), wearable technologies and even 3D printing as important considerations for modern businesses.

Gartner Fellow Hung LeHong explained that CIOs could hesitate to integrate digital business technologies into the wider IT responsibility infrastructure, due to their emergent and as-yet untested nature.

"Many companies are looking to digital business technologies as their next source of competitive advantage. There is too much at stake – in both business value and technology investment – for CIOs to stay in the margins," Mr LeHong said.

"[We believe CIOs] should participate in innovating and in testing the business cases for these technologies in the early stages."

Digital businesses will need to focus on several areas, but there are two which require immediate consideration.

Cybersecurity

Digital business technologies can already be found in use throughout many business operations, but security is still lacking. The success of digital business technologies hinges on successful cybersecurity implementation, and this will need to become a priority.

The Internet of Things

The IoT presents a number of business opportunities, including greater efficiency and reduced operating costs. CIOs will need to approach the trend cautiously, however, as any implementation is likely to impact existing technology bodies already in place.

Ensuring readiness for the coming digital transformation can seem difficult, but it's actually easy to handle with IT project management training. This type of program is both cost-effective and simple to undertake. Following the comprehensive training, a business is in the best position moving forward.

To guarentee success when handling digital IT transformation, an ALC Training PRINCE2 Practitioner Certificate Program can ensure mastery of project management.

IT security training lacking, survey reveals

IT security training and education is lacking throughout many businesses worldwide, with Australian businesses among the worst culprits.

That is the upshot of a new global report by the Ponemon Institute, which highlighted a range of challenges and issues facing today's cyber security professionals.

The organisation identified various problems with IT security initiatives, including communication roadblocks between departments and a need for more funding.

According to the Ponemon Institute, security intelligence and user education are key elements in bridging cyber security gaps. However, many firms are failing to provide sufficient staff training in this area. 

The data showed 48 per cent of employers do not offer cyber security education to personnel, compared with 47 per cent who do. Just 4 per cent said they planned to begin IT security training within the next 12 months.

In Australia, the figures were even lower, as only 40 per cent were currently educating staff on cyber security risks. This was one of the lowest percentages, with only Brazil registering a worse score (32 per cent) among the countries surveyed.

Hong Kong (57 per cent), Singapore (55 per cent) and India (54 per cent) exhibited the highest levels of IT security training for employees. However, Australia did perform well when it came to tackling risk.

"An effective approach to reducing the risk of a cyber attack is to conduct cyber threat modelling exercises," the institute explained.

"The countries with the highest belief that [this] is essential or very important are India, Australia and the US."

The IT security landscape

Overall, the Ponemon Institute's report – titled Roadblocks, Refresh and Raising the Human Security IQ – noted dissatisfaction among IT security professionals regarding their organisations' protective measures.

Nearly 30 per cent said they would implement a complete overhaul of their current enterprise security system if given the chance, and a further 21 per cent desired mild to moderate amendments.

Advanced persistent threats were the biggest fear for 40 per cent of businesses, while data exfiltration attacks ranked second with 24 per cent of the votes.

Other concerns were website hacking (14 per cent), distributed denial of service attacks (12 per cent) and accidental data breaches (8 per cent).

According to respondents, one of the biggest obstacles preventing cyber security risk procedure improvements was a lack of communication between IT departments and executives.

Almost one third (31 per cent) of security professionals said they never speak to the executive team, with 23 per cent claiming they talk only once a year. A mere 1 per cent said meetings are conducted on a weekly basis.

More funding 'needed'

Among the most common complaints expressed by businesses was a lack of appropriate funding to tackle ever-increasing cyber-security threats.

More than half (52 per cent) of IT security experts argued their organisation does not invest enough money into skilled staff and technologies.

"To deal with the challenging and dynamic threat landscape, organisations need to have the intelligence to anticipate, identify and reduce the threat," the report stated.

However, plans for the future look encouraging, as 49 per cent of businesses are expected to make significant adjustments to cyber security investments over the next 12 months.

Professionals claimed the top three events most likely to drive spending on such measures are intellectual property (IP) theft, data breaches involving customer information and loss of revenues due to system downtime.

Insider threats are also common, with 67 per cent of respondents claiming they know a colleague or peer whose company has had confidential data or IP stolen by someone within the organisation.

In Australia, this figure climbed to 88 per cent – significantly higher than the global average.