Organizations are not taking appropriate steps to comply with cyber-security standards, and IT leaders must correct this before cyber-attackers strike.
Organizations face serious risks associated with cyber-crime over the next three years, according to a study commissioned by Raytheon in conjunction with Ponemon Institute. What's equally troubling is IT executives and managers disregard their organization's security policies, according to another survey from Absolute Software.
A surprisingly high percentage of IT executives—45 percent—knowingly circumvent organizational security policies. Additionally, 46% of IT managers believe that employees or insiders represent the greatest security risk to their organization.
A lack of resources and a disconnect between security leaders and top business leadership are preventing companies from addressing growing cyber-security threats, and a majority of respondents (78 percent) said their organization’s top officials have not been briefed on a cyber-security strategy in the last 12 months. In addition, 66 percent of respondents believe senior leaders in their organization do not perceive cyber-security as a strategic priority.
Aside from a communications gap, increased cyber-attacks will cost enterprises millions, and not just because of down time and lost productivity. Within three years, due to the increase in cyber-attacks and cyber- terrorism, organizations will be facing the need to invest more in compliance with mandates on critical infrastructure protection and national cyber-defense strategies, according to the report.
The Ponemon study, titled “The Global Megatrends in Cybersecurity 2015,” questioned 1,006 cyber security CIOs, CISOs and senior IT leaders. It revealed that within the current state of cyber-security across surveyed organizations:
* Less than one-half of respondents (47 percent) believe their organizations take appropriate steps to comply with the leading cyber-security standards.
*Only one-third of those surveyed believe their organizations are prepared to deal with the cyber-security risks associated with the Internet of things (IoT) and the proliferation of IoT devices.
*Fewer than half of all respondents (47 percent) said their organizations have sufficient resources to meet cyber-security requirements.
*Two-thirds (66 percent) of those surveyed indicated their organizations need more knowledgeable and experienced cyber-security practitioners.
“You don’t have to wait until you’re attacked to take cyber-security seriously,” said Jack Harrington, vice president of cyber-security and special missions at Raytheon Intelligence, Information and Services. “Rallying around the cyber-security issue is critical to address the real threats we face as a global society.”
Many security leaders believe the next three years will determine if organizations can win the cyber-war, according to the study. Understanding the trends that will impact organizations will help IT leaders make more informed decisions about investments in people, processes and technologies.
The survey revealed the following recommendations and observations:
*Prepare to deal with external threats such as nation-state attackers, cyber-warfare or cyber-terrorism. With insider risk decreasing, more resources should be allocated to dealing with an increasing sophisticated and stealthy cyber-criminal.
*Establish regular cyber-training and awareness programs. These programs are critical in making employees and contractors the first line of defense against malicious or criminal activity.
*Develop a strategy to deal with the risks created by the Internet of things. Conduct a security impact assessment on how the IoT will impact your organization’s security posture.
*Be aware of the growing adoption of virtual currencies that will pose new risks to both organizations and customers.
*Understand how to use big data analytics effectively. Big data analytics will have both a negative and positive impact on organizations. The negative will be the vast amounts of sensitive and confidential data that will have to be protected. The positive will be the availability of analytics that will be helpful in detecting and blocking cyber-attacks.
*Go back to school and recruit experts in cyber-security. A key differentiator among organizations will be the ability to hire and retain knowledgeable and experienced cyber-security practitioners.
* Invest in the tried-and-true technologies because they will become more important. These include encryption for data at rest and in motion, SIEM and cyber-security technologies and firewalls.
*While leadership for cyber-security initiatives will improve, other governance issues will become more troublesome. These are the inability to secure access rights to data, systems and physical spaces, complexity of business and IT operations, the growth of unstructured data assets and the inability to integrate disparate technologies.
*Prepare to deal with an increasing litigious environment due to class action and tort litigation. The compliance cost burden will increase for organizations due to mandates on critical infrastructure protection.