It’s a dangerous cyberworld out there. The news carries weekly, sometimes daily, reminders of the potentially catastrophic impact a data breach can have on even the largest of enterprises. Besides the loss or corruption of information itself, there’s the loss of trust from customers who may well decide to bring their business elsewhere. In this information-driven economy, more than ever before, it’s become abundantly clear that a well-honed security strategy is imperative. It makes findings from a recent Ponemon Institute study (sponsored by Sophos) all the more surprising.
Released this month, The Risk of an Uncertain Security Strategy indicates that many SMB organizations are simply unclear about their security strategy and the threats they face. Included are about 2,070 responses from individuals in charge of their SMB company’s security and risk management. Among the respondents were CIOs/heads of corporate IT, heads of IT security, heads of risk management, CFOs, CEOs and chief operations officers. CIOs/heads of corporate IT made up 61% of the sample.
If any one of these takeaways sounds like it could be coming from your organization — or if you’re simply not sure — it’s time to start strategizing.
- One-third of respondents admit they don’t know if their organization experienced a cyberattack in the past year. This lack of knowledge equals a lack of “actionable intelligence” going forward. These respondents claim that in order to remedy the situation, they will invest in big data analytics and network traffic intelligence over the next three years.
- Respondents in the most senior positions knew the least about cyberthreats to their organization. This uncertainty indicates that the further an individual is from dealing with security on a daily basis, the less they understand the pervasiveness of the risks. According to study findings, 58% of respondents say management doesn’t think cyberattacks are a serious risk.
- Respondents estimate the cost of disruption to normal operations exceeds the cost of damages or theft of IT assets and infrastructure. This clashes with findings in other Ponemon Institute studies where the theft of intellectual property is the most expensive consequence of cybercrime. In this study, respondents appear unable to determine the actual cost of lost or stolen information assets.
- Respondents indicated that company-issued mobile devices and bring your own device (BYOD) raise bigger security concerns than do cloud applications and IT infrastructure services. But these concerns fail to translate into extensive adoption and use of mobile devices, especially personal devices. To lower these BYOD risks, respondents claim their organizations will invest in such protections as Web application firewalls for mobile apps and endpoint management.
- Respondents’ confidence in their cybersecurity awareness and strategies seemed to be similar among specific industries. For example, respondents in financial services, indicated a strong understanding and awareness, which can be attributed to the numerous data protection regulations they deal with on a regular basis. Not surprisingly, the technology sector, too, is more security aware, likely thanks to the IT expertise in these organizations. Retail, education and research and entertainment expressed the lowest levels of awareness.
- Respondents indicated that chief information security officers and senior management are rarely involved in IT security decision making or priority setting. Thirty-two percent of respondents said the CIO of their company is responsible for setting these priorities; 31% say no single function owns the responsibility.
So what happens when cybersecurity fails to be a priority in SMBs and no one seems to know the plan, or even if there is one? The study suggests it can become a vicious cycle. “Uncertainty about how these issues affect an organization’s security posture could lead to sub-optimal decisions about security strategy,” the authors note. And even as boards of directors and higher-level management are beginning to show greater interest in cybersecurity and risk, if IT executives don’t use the best available information in order to make decisions, it will be more difficult to make the business case for investing in the right expertise and technologies.