Untrained staff is the biggest cyber risk, according to report
Untrained staff is the greatest cyber risk to business and 87% of executives know it, according to a report by ESI ThoughtLab, in conjunction with Willis Towers Watson. Compounding this, the report found staff training ranked among the categories to have made the least progress when measured against the NIST cybersecurity framework.
ESI ThoughtLab surveyed 1,300 organizations with revenues ranging from under $1 billion to over $50 billion, across multiple industries.
The research also identified the most common types of attacks to include malware/spyware (81%) and phishing (64%). Unsophisticated hackers (59%) and cyber criminals (57%) were identified as the next biggest external threats.
Based on scores relating to progress on the NIST cybersecurity framework, ESI ThoughtLab segmented companies into three stages of cybersecurity maturity: Beginners, intermediates and leaders.
The survey found a company’s threat perception varied based on the firm’s cybersecurity maturity. For example, cybersecurity leaders tend to focus more on “Hacktivists” (52%) and malicious insider threats (40%). However, cybersecurity beginners spend more time worrying about external threats (42%) such as partners, vendors, and suppliers.
Additionally, the research found cybersecurity leaders invest more in cyber resilience versus their beginner counterparts when it comes to post-cyber incident processes.
As companies become more advanced in cybersecurity, they increase their investment in cybersecurity resilience. Cybersecurity beginners, however, spent 14% of their cyber budget while cyber leaders spent 18% on recovery.
Other key findings around cybersecurity maturity and investment in cyber risk include:
- 91% of cybersecurity leaders feel their investment is adequate to meet their needs
- 33% of cybersecurity beginners view their investment as adequate to meet their needs
- 73% of companies plan to use behavior analytics as a cybersecurity tool over the next two years
- 80% of companies have at least a small amount of cybersecurity insurance. However, manufacturers are, on average, one of the lowest ($8.6 million).