Connect with us

Hi, what are you looking for?


Management & Strategy

Businesses Learn Security the Hard Way: Survey

Despite the headlines and repeated warnings, a recent survey suggests businesses still need to learn security lessons the hard way.

Despite the headlines and repeated warnings, a recent survey suggests businesses still need to learn security lessons the hard way.

Organizations consider defending against phishing and social engineering attacks a priority, worry about Web-facing applications, and know the importance of having an incident response plan, according to a survey of 200 senior-level IT and security professionals conducted by IT training firm TrainACE.

IT Security RiskSome of the results painted a surprisingly rosy picture, with more than half, or 54 percent, of survey participants claiming their organizations had not been hacked or breached in the last 12 months. About 59 percent also claimed their organizations have a cyber-incident response plan. Approximately 81 percent of respondents said their companies followed a set of update guideline procedures, and 90 percent claimed to have formal password policies.

The situation was grimmer among the 17 percent who had been hacked or experienced a data breach, TrainACE found. In this group, nearly a fifth of the respondents said their companies did not have a cyber-incident response plan, but were considering one. Many of these respondents said they did not have set update guidelines and only 68 percent of the companies actually had password policies.

“All companies have different reasons and needs when it comes to cyber security, but it’s troublesome to learn that many still don’t have the basics in place, such as a cyber incident plan or set of updates guidelines,” Ralph P. Sita, Jr., CEO and president of TrainACE. “Of course, these are generally the companies that learn the hard way after a hack or data breach.”

As a goup, the organizations were clearly aware of the threats. About 37 percent of respondents said their companies were most concerned about phishing and social engineering attacks, followed by 25 percent citing mass malware infections. About a third of the respondents felt Web-facing applications were the most vulnerable to attack within their companies, and almost a similar number named Internet-facing devices. More tellingly, 48 percent of respondents said current and former employees posed the greatest security threats to their organizations, followed by hackers at 33 percent.

Less than half, or 42 percent, of the survey participants said their companies were “extremely” effective in identifying and mitigating cyber-threats with internal employees. Employees at recently breached organizations were more cautious, and said their companies were only “moderately” effective.

About 46 percent claimed their work computers had been infected by a Trojan at some point.

Advertisement. Scroll to continue reading.

Cyber-security spending varied among the respondents, but about 37 percent said their organizations planned to increase spending, mainly for software. Only about 10 percent of the organizations planned to focus the increased investments towards hiring more IT personnel, according to the survey.

Almost 40 percent of the respondents had no idea what percent of the overall IT budget was allocated for information security. Approximately 16 percent of the survey participants estimated 6 percent to 10 percent of the overall budget was for security, and 11 percent said the figure was more than 20 percent, according to RainACE.

“The findings we’ve compiled suggest that while most companies are employing best practices when it comes to cyber security, there is still a way to go before adoption is universal,” said Sita.

The full results of the survey are available online in PDF format.


Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.