When TrainACE asked more than 200 senior-level IT and security professionals about cyber security practices in their businesses, 59 percent said their company has a cyber incident response plan; the attacks companies are most concerned with are phishing and social engineering (37 percent), followed by mass malware (25 percent); and most respondents, 32 percent, think Web facing applications are the most vulnerable target to attack in their organization, followed by Internet exposed devices.
More than half (54 percent) of the respondents indicated that their company had not been hacked or experienced a data breach in the last 12 months; forty-eight percent of respondents think current and former employees pose the greatest cyber security threat to their organization, followed by hackers (33 percent); the number of respondents who found a Trojan on their work computers, 46 percent, was equal to the percentage who had not; eighty-one percent of respondents said their company follows a set of update guideline procedures, while 90 percent have password policies in place.
Of the 17 percent of respondents that indicated they had been hacked or experienced a data breach, 70 percent found a Trojan on their work computer; nearly 20 percent of those who confirmed a hack or breach said they don’t have a cyber incident response plan, but are now considering one. Not surprisingly, of those respondents that said they do not have a cyber incident plan and are not considering a plan, most said they also do not have a set of update guidelines and don’t plan to implement them. The percentage of companies with password policies also dropped sharply to 68 percent.
These findings suggest that while most companies are employing best practices when it comes to cyber security, there is still a way to go before adoption is universal. All companies have different reasons and needs when it comes to cyber security, but it’s troublesome to learn that many still don’t have the basics in place, such as a cyber incident plan or set of updates guidelines. Of course, these are generally the companies that learn the hard way after a hack or data breach.
Most respondents – 42 percent – said that their organization is “extremely” effective in identifying and mitigating cyber threats with internal employees. Those companies that had been hacked or breached said their organization was only “moderately” effective; and for respondents who said no and not considering a cyber incident plan, “not really a concern” became the top answer in identifying and mitigating cyber threats with internal employees. Most respondents, regardless of their answers, knew who to contact in their company if they are hacked or if their computer is infected.
When it comes to company spending on cyber security measures this year, most respondents indicated an increase, most of which was going towards software. Of those respondents who knew what percent of their organization’s overall IT budget is allocated for information security, most said six – 10 percent. Plans to hire more IT security staff over the course of the year appear flat – yes and no were evenly split at 30 percent. Most respondents – 75 percent – said they have training for security policy in place.
These are only a few of the findings in the survey. Anyone who is interested in how companies approach cyber security should check it out.