Companies lack solutions, resources to tackle growing cybersecurity threats
The second Hiscox annual Cyber Readiness Report has just been published, and it presents an exhaustive study of responses to the cybersecurity challenge. Forrester Consulting spoke to more than 4,100 executives in the public and private sector from the U.S. and Europe for the report. The results were striking.
The report reveals just under half of respondents (45%) have suffered a cyber breach in the past year—in 42% of cases due to an external hack. Of the organizations targeted, more than two-thirds (67%) suffered two or more attacks, while 21% suffered four or more. A small number were hit more than ten times last year.
Novice or expert?
So how ready were they to fend off the attackers? Forrester measured organizations’ strategies (their oversight and resourcing) against their ability to execute (their processes and technology). From these findings, analysts sorted respondents into three categories: novices, intermediates, and experts.
The bad news is nearly three-quarters of organizations (73%) fall into the novice category, with just 11% qualifying as experts, says the report.
This is despite most respondents understanding the scale of the threat, explained Forrester. "While many firms lack adequate defenses, most are aware of the potential impact of a cyber attack. Two-thirds of respondents (66%) rank the cyber threat alongside fraud as the top risks to their business."
So what sets an expert apart from a novice? Experts combine awareness of the business threats with strategy, professionalism, and proactive engagement, said the report.
"Cyber experts get support from the top and engage a broader range of stakeholders when setting their organization’s cybersecurity strategy. Experts are more than twice as likely to agree ‘there is formal support for cybersecurity from business leaders and executives on an ongoing basis’ (86%, versus 38% for cyber novices). In addition, more than two-thirds (68%) of cyber experts involve the board and executive management in setting strategy."
The internet of risks
A key challenge, according to the report, is the Internet of Things (IoT) is the emerging as a new cybersecurity risk.
Securing the IoT within the organization was cited by 46% of respondents as a goal for 2018—above investing in malware detection (45%), and improving incident response capabilities, ensuring third-party compliance, and reviewing internal security procedures (all on 44%).
"2018 promises to be the year when mandatory reporting of cyber breaches raises awareness and risk to reputations further, as the EU General Data Protection Regulations (GDPR) come into force," said Hiscox adviser Robert Hannigan, the former Government Communications Headquarters (GCHQ) director who set up the UK’s National Cyber Security Centre.
"The rapid growth of the Internet of Things will amplify insecurities by adding millions of new devices with minimal built-in security. For those trying to protect against attack, the shortage of cyber skills will continue to be chronic."
The survey highlights a widening gulf between those who "get" cybersecurity, take it seriously and those who regard it as someone else’s problem, he added. "Cybersecurity is not an IT issue, but rather a risk for the whole organization; tackling it is more about people, behavior, and culture than clever technology."
Gareth Wharton, cyber CEO at Hiscox, was not impressed with the report’s findings. "As an end of term report, it might have the words ‘can do better’ scrawled on it in red ink," he said. "It highlights the cyber readiness shortcomings of the majority of organizations in our sample, particularly the smaller ones."
Size along with budget is part of the problem, suggests the report. "The larger organizations in the sample are better prepared: more than one in five (21%) of those with 250 employees or more rank as experts. A further 17% qualify as intermediates. [By contrast] just seven percent of smaller firms rank as experts. "Cyber experts had bigger IT budgets than the novices ($19.8 million on average, versus $9.9 million) and devoted a higher proportion to cybersecurity (12.6% versus 9.9%)."
Nearly three out of five respondents (59%) plan to increase their cybersecurity budgets this year, explains the report. However, it warns: "Spending on technology is often the easy part. To be effective, you have to move on all fronts together. That means people, processes and technology. Simply spending on technology is not enough without a fully structured, rigorous set of processes, combined with people who are fully aware of the issues."
Chris Middleton is the editor of Internet of Business (IoB), a CFE Media content partner. This article originally appeared here. Edited by Chris Vavra, production editor, CFE Media, firstname.lastname@example.org.
See additional stories about the IIoT linked below.