By Michael Goedeker, Director Pre Sales ESG, CEEMEA, Sophos
The potential business impact of cyber attacks and data loss, along with high-profile data breaches experienced by organizations such as LexisNexis and Evernote, seems to have done little to convince small and mid-size businesses (SMBs) that they should be making cyber security a priority.
Recently, the Ponemon Instituteand Sophos released a study: Risk of an Uncertain Security Strategy, which reveals that security is not a key priority for many SMBs because management and IT functions are uncertain about their organization’s security strategy and the threats they face.
Uncertainty about how these issues impact an organization’s security posture could lead to making sub-optimal decisions about a security strategy. It also makes it difficult to communicate the business case for investing in the necessary expertise and technologies.
Based on responses to 12 survey questions, Ponemon created an “Uncertainty Index” or score that measures where the highest uncertainty exists. The index ranges from 10 (greatest uncertainty) to one (no uncertainty).
So what can SMBs learn from this index?
- With a score of 5.9, U.S. organizations have the highest uncertainty index, followed closely by the UK (5.0). Organizations in Asia-Pacific scored 4.8, while SMBs in Germany seem to have the best understanding of their security risks with an uncertainty score of 3.8.
- Smaller organizations have the most uncertainty. Companies with fewer than 100 employees have an uncertainty score of 6.5.
- Surprisingly, an organization’s leadership team has the most uncertainty. According to the study, the higher the position, the more removed an individual could be in understanding the organization’s risk and strategy. Executive/VP titles have an uncertainty score of 6.9 and directors have a score of 6.8.
- Retailing; education and research; and entertainment and media have the highest level of uncertainty while uncertainty drops significantly for organizations in the financial services and technology sectors. It is possible that the high degree of certainty in the financial sector can be attributed to the need to comply with data security regulations.
Uncertainty creates risk and based on the findings, the study identified seven consequences of an uncertain security strategy:
Cyber attacks go undetected
A significant number of respondents (33 percent) are unsure if their organization experienced a cyber attack in the last 12 months.
Data breach root causes are unknown
While 51 percent of respondents say their organization has had a data breach, 44 percent cannot identify the root cause.
Intelligence to stop exploits is not actionable
Because of the lack of knowledge about the frequency and magnitude of cyber attacks, there appears to be a lack of actionable intelligence. Thirty-three percent say lack of in-house expertise prevents a fully effective IT security posture and 5 percent cite no understanding how to protect against cyber attacks.
Cyber security is not a priority
Forty-four percent of respondents report IT security is not a priority. As evidence, 42 percent say their budget is not adequate for achieving an effective security posture. Compounding the problem, only 26 percent of respondents say their IT staff has sufficient expertise. On average, organizations have three employees who are fully dedicated to IT security.
Weak business case for investing in cyber security
Respondents in more senior positions have the most uncertainty about the threats to their organizations. According to the findings, 58 percent of respondents say management does not see cyber attacks as a significant risk.
Mobile and ‘Bring Your Own Device’ (BYOD) security ambiguity
Fifty percent of respondents say mobile devices diminish an organization’s security posture. However, 58 percent report these concerns are not stopping the adoption of tablets and smart phones within their organization. The survey also reveals that BYOD is a concern. Forty-five percent say BYOD diminishes an organization’s security effectiveness.
Financial impact of cyber crime is unknown
Respondents estimate that the cost of disruption to normal operations is much higher than the cost of damages or theft of IT assets and infrastructure. And 29 percent cannot estimate the cost of damage or theft of IT assets and 22 percent do not know that it costs the organization due to disruption.
Recommendations
So what should SMBs be doing to better protect themselves from the threat of cyber attacks?:
- Organizations need to concentrate resources on monitoring their security situation in order to make intelligent decisions. While assessing where they stand on the security continuum, organizations need to focus on monitoring, reporting and proactively detecting threats.
- Establish mobile and BYOD security best practices. Carefully plan and implement a mobile strategy so that it doesn’t have an impact on the overall security posture.
- Organizations should look for ways to bridge the gap created by a shortage of information security professionals. Consider ways to free-up time for in-house resources, including a move to cloud technologies, security consulting and easy-to-manage solutions.
- Measure the cost of cyber attacks, including lost productivity caused by downtime. Work with senior management to make cyber security a priority and invest in solutions that restore normal business activity more quickly for a high return on investment.
- Organizations in all sectors are regularly breached and regulations are often simply the beginning of properly securing a network. Consider consolidated security management to gain a more accurate picture of threats that will help focus on problem areas.
A copy of the Ponemon Institute study Risk of an Uncertain Security Strategy,can be viewed here.
