Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Businesses Learn Security the Hard Way: Survey

Despite the headlines and repeated warnings, a recent survey suggests businesses still need to learn security lessons the hard way.

Despite the headlines and repeated warnings, a recent survey suggests businesses still need to learn security lessons the hard way.

Organizations consider defending against phishing and social engineering attacks a priority, worry about Web-facing applications, and know the importance of having an incident response plan, according to a survey of 200 senior-level IT and security professionals conducted by IT training firm TrainACE.

IT Security RiskSome of the results painted a surprisingly rosy picture, with more than half, or 54 percent, of survey participants claiming their organizations had not been hacked or breached in the last 12 months. About 59 percent also claimed their organizations have a cyber-incident response plan. Approximately 81 percent of respondents said their companies followed a set of update guideline procedures, and 90 percent claimed to have formal password policies.

The situation was grimmer among the 17 percent who had been hacked or experienced a data breach, TrainACE found. In this group, nearly a fifth of the respondents said their companies did not have a cyber-incident response plan, but were considering one. Many of these respondents said they did not have set update guidelines and only 68 percent of the companies actually had password policies.

“All companies have different reasons and needs when it comes to cyber security, but it’s troublesome to learn that many still don’t have the basics in place, such as a cyber incident plan or set of updates guidelines,” Ralph P. Sita, Jr., CEO and president of TrainACE. “Of course, these are generally the companies that learn the hard way after a hack or data breach.”

As a goup, the organizations were clearly aware of the threats. About 37 percent of respondents said their companies were most concerned about phishing and social engineering attacks, followed by 25 percent citing mass malware infections. About a third of the respondents felt Web-facing applications were the most vulnerable to attack within their companies, and almost a similar number named Internet-facing devices. More tellingly, 48 percent of respondents said current and former employees posed the greatest security threats to their organizations, followed by hackers at 33 percent.

Less than half, or 42 percent, of the survey participants said their companies were “extremely” effective in identifying and mitigating cyber-threats with internal employees. Employees at recently breached organizations were more cautious, and said their companies were only “moderately” effective.

About 46 percent claimed their work computers had been infected by a Trojan at some point.

Cyber-security spending varied among the respondents, but about 37 percent said their organizations planned to increase spending, mainly for software. Only about 10 percent of the organizations planned to focus the increased investments towards hiring more IT personnel, according to the survey.

Advertisement. Scroll to continue reading.

Almost 40 percent of the respondents had no idea what percent of the overall IT budget was allocated for information security. Approximately 16 percent of the survey participants estimated 6 percent to 10 percent of the overall budget was for security, and 11 percent said the figure was more than 20 percent, according to RainACE.

“The findings we’ve compiled suggest that while most companies are employing best practices when it comes to cyber security, there is still a way to go before adoption is universal,” said Sita.

The full results of the survey are available online in PDF format.

 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Jessica Newman has joined Sophos as General Manager of Global Cyber Insurance.

Breach and attack simulation solutions provider AttackIQ has appointed Pete Luban as Field Chief Information Security Officer.

Matthew Cowell has assumed the role of VP of Strategic Alliances at Nozomi Networks. He previously served in the same role at Dragos.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.