Four in 10 chief information security officers (CISOs) admit their companies are unprepared to stop cyber attacks despite a surge in cybersecurity spending – but with just 29 per cent of CEOs saying the same, it seems many chief executives remain dangerously overconfident.
The findings, which emerged in a major new ThoughtLab-Elastic survey of 1,200 large companies across 16 countries, highlight the ongoing challenges for companies seeking to protect their operations and data against an onslaught of cybercriminal attacks.
Much of the deficiency has come from the rapid pace of digital innovation in recent years, with 41 per cent of respondents blaming pressures to digitally transform their businesses faster than ever during the pandemic.
Executives say the pressure to transform comes from increasingly customer-centric business strategies – including e-government initiatives – but with many projects glossing over security fundamentals to speed delivery, companies have been setting themselves up for compromise and failure.
Weak spots in companies’ software and networks were open doors for cybercriminals, with problems such as software misconfigurations cited by 49 per cent of respondents and human error (40 per cent), poor maintenance (40 per cent), and unknown assets (30 per cent) each creating issues.
“Organisations need to find the right balance between protective and reactive measures, such as detection and response,” said Augusto Barros, vice president and cybersecurity evangelist with co-sponsor and security firm Securonix.
“Security executives often invest more in protective measures and not enough to handle situations when they fail. These investments should allocate resources appropriately across people, process, and technology.”
Yet while many companies had tried to spend their way to better security – respondents reported a 51 per cent average jump in cyber security budgets as a percentage of total revenue – ThoughtLab nonetheless found around a third of healthcare, public sector, telecommunications, and aerospace and defence companies admit they are still unprepared to protect their customer, operational, and other data.
That’s a particular concern for Australian critical-industry operators, which have come under the microscope as the Morrison Government imposes new cyber security obligations on data centre operators, utility companies, healthcare organisations, telecommunications operators, financial institutions, and other key industry sectors.
Rather than just splurging on cyber security products, ThoughtLab advises, companies need to make sure the products they do have are well integrated, cover all physical and digital aspects of the business, and take a ‘people-centric’ approach by creating a business culture that is “sensitive to cyber security risks”.
Companies also need to work harder to secure their supply chains so that compromised business partners don’t provide a back door into the organisation – a problem cited by 44 per cent of survey respondents.
“The shift in landscape produced by the pandemic and cross-border conflicts has required organisations to reprioritise strategic objectives and key risks from accelerating digital transformation programs and migration to the cloud,” said Steve Durbin, CEO of industry group the Information Security Forum as the findings were released.
“CISOs must drive the conversation with the board, [and] help address and answer difficult questions regarding cyber security and clarify misconceptions.”
Can’t buy me trust
Improving cyber security practices is about more than just keeping cyber criminals at bay: with companies hoarding private data and consumers seemingly resigned to having their data compromised, companies’ very reputations hinge on their ability to convince customers and prospects that their data is safe.
So far, a recent Imperva study found, companies aren’t prosecuting their case with customers very successfully at all.
“Exhausted consumers have given up on security,” the report concluded, noting that two-thirds of the 1,004 surveyed Australians said they have “no idea” how many companies they’ve shared personal data with – and that 31 per cent believe it’s “inevitable” that their data will be leaked eventually.
Consumers “understand the risks of having their personal information leaked or stolen,” said Imperva ANZ area vice president Tony Mascarenhas. “However, many of us feel like we have no choice but to share our data if we want to participate in the digital economy.”
Just 43 per cent of respondents said they trust financial services companies to protect their data, while other industries that were flagged by ThoughtLab as having particularly poor security – such as healthcare and government – also fared poorly on Imperva’s trust study, with just 37 per cent of respondents trusting them to keep their data secure.
Fewer than 10 per cent of respondents said they trust messaging services, social media, media and streaming services, online gaming, and retail companies – and 28 per cent said they don’t trust any of the companies to keep their data secure.
“Organisations face a complete breakdown of trust unless they begin rebuilding now,” said Mascarenhas. “While organisations rush to introduce more digital innovations, it is vital they don’t overlook the potential security risks these new technologies create.”