Even though information security is a growing concern for businesses, study after study continues to show a lack of appropriate steps by organizations to implement an effective posture.  One of the most recent studies (conducted by Ponemon Institute) could shed light on part of the problem.

One of the challenges involves CEOs and other C-level executives being completely in the dark about cyberattacks against their companies.  The Ponemon study revealed that one third of CEOs and C-level executives are completely in the dark about cyberattacks, even though 63% of them admit that their companies have been victims of one or more advanced attacks in the last 12 months.

The lack of awareness, according to the study’s findings, is due to a lack of security capabilities.  Furthermore, the study also found that 39% of executives don’t believe their company has the necessary intelligence to make a convincing case to the C-suite about the cyber threats facing their company.  Even though major breaches such as Target and Sony make it clear how important it is for businesses to have a good security, the fact that detection is still lagging within organizations doesn’t allow for CEOs to see the immediate danger before a cyberattack actually takes place.

The Ponemon study also revealed that one fifth of organizations take anywhere from one to two plus years to detect attacks, and more than a quarter take up to six months to contain breaches.  In addition to detection time being an issue, the study found that security teams are wasting their time chasing false positives.

  • 68% of organizations find their security operations team spends a significant amount of time chasing false positives.
  • 29% of all malware alerts (on average) received by the company’s security operations teams are investigated, and an average of 40% are considered to be false positives.
  • Only 18% find their malware detection tool provides the level of risk for each incident.

It becomes clear from these findings, part of why organizations and their executives aren’t taking appropriate action, and also why vulnerabilities are still winning the cybersecurity battle.  Without finding real risks and with the time it takes to find an attack, an organization has no ‘immediate’ reason to feel concerned or threatened.  This prolongs the time for action and the time it takes to allocate resources and budgets where they are needed to improve data security sooner than later.  Add to these issues, the use of ineffective tools or basing risk detection on tools alone (tools that aren’t helping); and we can see why an organization’s lack of awareness becomes even greater.

What CEOs and the C-Suite need to face up to, if they want to successfully protect their business and important data, is the reality that they need to invest more into it; more than just tools and a team.  An experienced consultant or a risk management company that is specialized in detection, that has the equipment necessary and the knowhow to evaluate the entire infrastructure and identify real vulnerabilities quickly (that can identify false positives and not spend too much time on them).  A business that focuses only on information security, meaning that’s what they do 24/7.  It’s not that a security team isn’t good to have or inexperienced, but as the Ponemon study shows, there continue to be existing problems with detection and the in-house security team’s level of expertise.

  • 76% of companies lack visibility of threat activity across the network.
  • 63% of businesses have an inability to prioritize threats.
  • 55% of organizations lack in-house expertise.

The solutions to the problem are clear: a higher level of information security expertise and an increase in budget. Unfortunately, when it comes to budget, the Ponemon study found that 13% of businesses expect to decrease their budget in 2016.

  • The average 2016 cybersecurity budget is approximately $16 million.
  • 50% of companies say their budget will stay the same, while only 37% expect to increase their budget in 2016.

Even though the study found some good news, being that 30% of companies were able to discover an attack against their company in one to eight hours after it occurred, and 28% were able to contain a breach in the same timeframe; these numbers are low considering the daily breach news that business executives have been seeing throughout the years.

Becoming fully aware of the level of risk an organization is facing doesn’t have to wait for a breach to occur, it can be brought to the surface through a simple evaluation of the information security posture that’s in place today.

A security assessment by industry experts can lead the way in knowing where your business stands with good security and what steps you need to take next to reduce risks.  It’s really that simple.

 

Photo Courtesy of Dirk Ercken