Data security survey reveals overconfidence, lack of preparedness
Many organizations are still overly confident about their data security programs, but in fact they are ill-prepared to defend against a significant cyber-attack.
That is the finding of a new study by Sapio Research, which surveyed organizations in the United States and Great Britain on cyber security-related issues.
The study called this conflict a case of those organizations being “gravely optimistic about their ability to deter or cope with malicious attacks, despite the majority experiencing a breach over the last year and nearly one-fourth experiencing more than 10.”
Also See: No slowdown in healthcare breaches
According to the study, the “potent combination of this lack of preparedness, the frequency of breaches and the potential commercial impact of each one heightens the risk of an ‘extension event,’ i.e. a massive business failure correlating to the breach.”
There are seven primary factors explaining the disconnect between actual preparedness and perceptions of cyber protection, according to the study:
- Inconsistency in enforcing security policies
- Negligence in the approach to user security awareness training
- Shortsightedness in the application of security technologies
- Complacency around vulnerability reporting
- Inflexibility in adapting processes and approach after a breach
- Stagnation in the application of key prevention technologies
- Lethargy around detection and response
“Our finding underscores the problems that contributed to the WannaCry’ ransomware’s ability to cause so much damage around the globe,” said John Pagliuca, general manager of SolarWinds MSP, which sponsored the research. “These results beg the question. ‘How can IT leaders feel so prepared yet still be so exposed?’ ”
“One of the main reasons is that people are confusing IT security with cybersecurity,” Pagliuca continued. “The former is what companies are talking about when they think about readiness. However, what they often don’t realize is that cybersecurity protection requires a multi-pronged, layered approach to security that involves prevention, protection, detection, remediation, and the ability to restore data and systems quickly and efficiently. The overconfidence and failure to deploy adequate cybersecurity technologies and techniques at each layer of a company’s cybersecurity strategy could be fatal.”