Are organisations giving cybersecurity the attention it needs?

Both consumers and businesses know that data breaches are here to stay.

Cybercriminals are constantly finding new and more complex ways to attack organisations.

And the only way to respond to this is for companies to up their game and match their efforts. Recent research by Bitdefender showed that 57% of infosec professionals rate their company’s cybersecurity as very good. However, when looking deeper, we see businesses are due for a thorough security check-up: almost three-quarters of infosec professionals state their organisation may be vulnerable due to lack of resources.

Unveiling organisational weak spots

Six in every ten businesses have suffered a data breach in the last three years. Numbers have been slowly decreasing, mostly because once an organisation is breached, they direct their efforts towards rethinking cybersecurity strategy. But by being only reactive, not proactive — infosec professionals will never keep the doors to their business’ data shut. In fact, 36% of them think their companies are currently facing an attack without them knowing about it. If organisations are to be able to survive a new global security crisis, a change of mindset is essential.

The need to revisit cybersecurity’s current state in organisations becomes clear once we see how fast this landscape evolves. Currently, 36% of IT workers consider phishing or whaling attacks to be their primary concern. In 2018, only 10% considered this as their organisation’s main threat, with most infosec professionals focusing instead on ransomware. In the span of one year, the sector’s perception has changed considerably — which is exactly why businesses have to keep on their toes.

Bitdefender’s research shows IT departments are aware of this, but many times have their hands tied when it comes to overcoming vulnerabilities. Infosec teams affirm the two biggest obstacles preventing fast detection and response to threats are a lack of proper security tools and a lack of knowledge, both at 36% — showing a clear need for investment in training and in toolset sophistication. Right behind these obstacles, are a lack of budget, lack of personnel and lack of visibility. The latter is actually one of the biggest stressors pointed at by security professionals. Over a third of them mention being stressed, mostly over the lack of cybersecurity understanding from general employees.

Cybersecurity: a company-wide concern

The lack of attention given to security is seen throughout different departments. When asked which departments disregard or push back on information security rules in their organisation, 57% of IT professionals mention sales teams, and, worryingly, senior management. Unsurprisingly, most of those that have a disregard for cybersecurity are also the ones IT professionals deem are most at risk of a data breach. This furthers proves that the IT team can’t solve an organisation’s cybersecurity shortcomings alone, it needs to be a company-wide effort.

Organisations understand the importance of good cybersecurity but many are failing to practise it. It needs to be backed up by three T’s: tactics, tools and training. Without a good strategy, the right technology, or the proper talent and training in place, a business is at a very real risk of being breached. Not to mention, by failing to invest in their infosec assets and team, businesses might end up losing the talent they already have. In fact, 53% of security professionals have considered leaving their current role due to a lack of resources, both financially and in terms of staffing.

Ultimately, data breaches can have a direct impact on customer trust. And, with mass attacks, this can have a devastating long-term effect. You don’t need to be an infosecurity expert to understand that. Fortunately, although there are still steps to be taken, the cybersecurity landscape is changing for the better. There are advanced automated security solutions in the market that can help even the smaller businesses that don’t have the budget for a security operations centre (SOC). Furthermore, companies that are investing in training are proving themselves better at detecting attacks quickly, and more efficient at isolating them.

The road ahead of us has a few bumps and curves, but the view is clear. What infosec professionals need to do now is to scrutinise their current cybersecurity profile and act on what they can improve. And for what they can’t improve, it’s time to take this conversation to the top — so they can drive the conversation from the top down.

About the Author

Liviu Arsene, Senior E-threat analyst, Bitdefender. Work with the malware/vulnerability research teams to investigate new threats and built in depth analysis for specialized security media.

Featured image: @Gorodenkoff