The potential business impact of cyber attacks and data loss, along with high-profile data breaches experienced by organisations like LexisNexis andEvernote, seems to have done little to convince small and mid-size businesses that they should be making cyber security a priority.
Recently, the Ponemon Instituteand Sophos released a study: Risk of an Uncertain Security Strategy, which reveals that security is not a key priority for many SMBs because management and IT functions areuncertain about their organization’s security strategy and the threats they face.
Uncertainty about how these issues impact an organisation’s security posture could lead to making sub-optimal decisions about a security strategy. It also makes it difficult to communicate the business case for investing in the necessary expertise and technologies.
Based on responses to 12 survey questions, Ponemon created an “Uncertainty Index” or score that measures where the highest uncertainty exists. The index ranges from 10 (greatest uncertainty) to one (no uncertainty).
So what canSMBs learn from this index?
- With a score of 5.9, U.S. organisations have the highest uncertainty index, followed closely by the UK (5.0). Organisations in Asia-Pacific scored 4.8, while SMBs in Germany seem to have the best understanding of their security risks with an uncertainty score of 3.8.
- Smaller organisations have the most uncertainty. Companies with fewer than 100 employees have an uncertainty score of 6.5.
- Surprisingly, an organisation’s leadership team has the most uncertainty. According to the study, the higher the position, the more removed an individual could be in understanding the organisation’s risk and strategy. Executive/VP titles have an uncertainty score of 6.9 and directors have a score of 6.8.
- Retailing; education and research; and entertainment and media have the highest level of uncertainty while uncertainty drops significantly for organizations in the financial services and technology sectors. It is possible that the high degree of certainty in the financial sector can be attributed to the need to comply with data security regulations.
Uncertainty creates risk and based on the findings, the study identified seven consequences of an uncertain security strategy:
Cyber attacks go undetected –A significant number of respondents (33 percent) are unsure if their organisation experienced a cyber attack in the last 12 months.
Data breach root causes are unknown – While 51 percent of respondents say their organisation has had a data breach, 44 percent cannot identify the root cause.
Intelligence to stop exploits is not actionable – Because of the lack of knowledge about the frequency and magnitude of cyber attacks, there appears to be a lack of actionable intelligence. Thirty-three percent say lack of in-house expertise prevents a fully effective IT security posture and 5 percent cite no understanding how to protect against cyber attacks.
Cyber security is not a priority –Forty-four percent of respondents report IT security is not a priority. As evidence, 42 percent say their budget is not adequate for achieving an effective security posture. Compounding the problem, only 26 percent of respondents say their IT staff has sufficient expertise. On average, organisations have three employees who are fully dedicated to IT security.
Weak business case for investing in cyber security –Respondents in more senior positions have the most uncertainty about the threats to their organisations. According to the findings, 58 percent of respondents say management does not see cyber attacks as a significant risk.
Mobile and ‘Bring Your Own Device’ (BYOD) security ambiguity –Fifty percent of respondents say mobile devices diminish an organisation’s security posture. However, 58 percent report these concerns are not stopping the adoption of tablets and smart phones within their organisation. The survey also reveals that BYOD is a concern. Forty-five percent say BYOD diminishes an organisation’s security effectiveness.
Financial impact of cyber crime is unknown – Respondents estimate that the cost of disruption to normal operations is much higher than the cost of damages or theft of IT assets and infrastructure. And 29 percent cannot estimate the cost of damage or theft of IT assets and 22 percent do not know that it costs the organisation due to disruption.
Recommendations
So what should SMBs be doing to better protect themselves from the threat of cyber attacks?:
- Organisations need to concentrate resources on monitoring their security situation in order to make intelligent decisions. While assessing where they stand on the security continuum, organisations need to focus on monitoring, reporting and proactively detecting threats.
- Establish mobile and BYOD security best practices. Carefully plan and implement a mobile strategy so that it doesn’t have an impact on the overall security posture.
- Organisations should look for ways to bridge the gap created by a shortage of information security professionals. Consider ways to free-up time for in-house resources, including a move to cloud technologies, security consulting and easy-to-manage solutions.
- Measure the cost of cyber attacks, including lost productivity caused by downtime. Work with senior management to make cyber security a priority and invest in solutions that restore normal business activity more quickly for a high return on investment.
- Organisations in all sectors are regularly breached and regulations are often simply the beginning of properly securing a network. Consider consolidated security management to gain a more accurate picture of threats that will help focus on problem areas.
