80 percent of ISACA survey respondents expect a cyberattack to hit their organization this year, but many remain unprepared.
Of the security professionals who participated in the study, 80% said they expect their organization to come under attack by cybercriminals this year. 53% said cyberattacks had increased in 2016, reflecting the changes in entry points and threat types.
According to the study, some key insights include:
- IoT overtook mobile as primary focus for cyber defenses as 97% of organizations see rise in its usage. As IoT becomes more prevalent in organizations, cybersecurity professionals need to ensure protocols are in place to safeguard new threat entry points.
- 62% reported experiencing ransomware in 2016 but only 53% have a formal process in place to address it—a concerning number given the significant international impact of the recent WannaCry ransomware attack.
- Malicious attacks that can impair an organization’s operations or user data remain high in general (78% of organizations reporting attacks).
The study also found that fewer than 1 in 3 of organizations say they routinely test their security controls and 13% said they never test them at all. Additionally, 16% admitted they do not have an incident response plan in place.
“There is a significant and concerning gap between the threats an organization faces and its readiness to address those threats in a timely or effective manner,” said Christos Dimitriadis, group head of information security at INTRALOT. “Cybersecurity professionals face huge demands to secure organizational infrastructure, and teams need to be properly trained, resourced and prepared.”
The respondents indicated that substantial roadblocks exist for cybersecurity professionals despite cybersecurity being an increasing priority for organizational leaders. The good news is that 65% of organizations surveyed now employ a chief information security officer, up from 50% last year.
Leaders are still struggling to fill such positions however, as as part 1 of this year’s State of Cyber Security report indicated. Nearly 50% of respondents said they are uncomfortable with their cyber team’s ability to address complex security incidents and risks and over half said they are frustrated with cybersecurity professionals’ inability to understand their business. Despite this, 1 in 4 organizations admitted they have training budgets of less than $1K per employee, and fewer organizations will be increasing their budgets this year. Only 50% indicated they would, down from 61% last year.
“The rise of CISOs in organizations demonstrates a growing leadership commitment to securing the enterprise, which is an encouraging sign,” said Dimitriadis. “But that’s not a cure-all. With the number of malicious attacks increasing, organizations can’t afford a resource slowdown. Yet with so many respondents showing a lack of confidence in their teams’ ability to address complex issues, we know there is more that must be done to address the urgent cyber security challenges faced by all enterprises.”