Despite the headlines and repeated warnings, a recent survey suggests businesses still need to learn security lessons the hard way.
Organizations consider defending against phishing and social engineering attacks a priority, worry about Web-facing applications, and know the importance of having an incident response plan, according to a survey of 200 senior-level IT and security professionals conducted by IT training firm TrainACE.
Some of the results painted a surprisingly rosy picture, with more than half, or 54 percent, of survey participants claiming their organizations had not been hacked or breached in the last 12 months. About 59 percent also claimed their organizations have a cyber-incident response plan. Approximately 81 percent of respondents said their companies followed a set of update guideline procedures, and 90 percent claimed to have formal password policies.
The situation was grimmer among the 17 percent who had been hacked or experienced a data breach, TrainACE found. In this group, nearly a fifth of the respondents said their companies did not have a cyber-incident response plan, but were considering one. Many of these respondents said they did not have set update guidelines and only 68 percent of the companies actually had password policies.
“All companies have different reasons and needs when it comes to cyber security, but it’s troublesome to learn that many still don’t have the basics in place, such as a cyber incident plan or set of updates guidelines,” Ralph P. Sita, Jr., CEO and president of TrainACE. “Of course, these are generally the companies that learn the hard way after a hack or data breach.”
As a goup, the organizations were clearly aware of the threats. About 37 percent of respondents said their companies were most concerned about phishing and social engineering attacks, followed by 25 percent citing mass malware infections. About a third of the respondents felt Web-facing applications were the most vulnerable to attack within their companies, and almost a similar number named Internet-facing devices. More tellingly, 48 percent of respondents said current and former employees posed the greatest security threats to their organizations, followed by hackers at 33 percent.
Less than half, or 42 percent, of the survey participants said their companies were “extremely” effective in identifying and mitigating cyber-threats with internal employees. Employees at recently breached organizations were more cautious, and said their companies were only “moderately” effective.
About 46 percent claimed their work computers had been infected by a Trojan at some point.
Cyber-security spending varied among the respondents, but about 37 percent said their organizations planned to increase spending, mainly for software. Only about 10 percent of the organizations planned to focus the increased investments towards hiring more IT personnel, according to the survey.
Almost 40 percent of the respondents had no idea what percent of the overall IT budget was allocated for information security. Approximately 16 percent of the survey participants estimated 6 percent to 10 percent of the overall budget was for security, and 11 percent said the figure was more than 20 percent, according to RainACE.
“The findings we’ve compiled suggest that while most companies are employing best practices when it comes to cyber security, there is still a way to go before adoption is universal,” said Sita.
The full results of the survey are available online in PDF format.