According to the results of a recent SpiceWorks survey of more than 600 IT professionals in the U.S. and U.K., only 29 percent of organizations have a cyber security expert working in their IT department, and another 23 percent contract with outside security experts to help protect their environments.
A separate SpiceWorks survey of 1,000 IT pros found that 67 percent of respondents have no cyber security certifications. Just 17 percent have the basic CompTIA Security+ certification, 2 percent have the CISSP certification, and just 1 percent have the Certified Ethical Hacker (CEH) certification.
And while 24 percent of respondents said their employers actively encourage employees to pursue IT training, 57 percent said their employers are somewhat open to it but would take some convincing, and 19 percent said their employers don’t encourage such training and aren’t willing to pay for it at all.
When asked what devices they can confidently protect, 82 percent of respondents said they’re confident in their ability to protect laptops and desktops, and 80 percent said the same of servers. Still, just 36 percent said they’re confident in their ability to protect IoT devices, and just 44 percent said the same of cloud services.
Lack of visibility
A separate Netwrix survey of more than 830 respondents found that 75 percent of respondents have partial or no visibility into their cloud and hybrid IT environments, and almost 65 don’t have complete visibility into user, IT and third-party activity in their IT infrastructure.
Fully 78 percent of respondents are unaware or only partly aware of what’s happening across their unstructured data and file storage. BYOD is a particularly vulnerable area — a striking 83 percent of organizations have zero or only partial visibility into their users’ personal devices.
Almost 47 percent of respondents said they believe the increasing complexity of IT infrastructures will make achieving visibility even more difficult in the future.
“In today’s ever-changing threat landscape, companies simply cannot foresee all cyber threats that could affect their data security and system uptime,” Netwrix CEO and co-founder Michael Fimin said in a statement. “Understanding what is happening in the IT infrastructure, including who or what causes malicious events, enables timely threat detection and prevents serious damage.”
Delay in responding
A recent Business Continuity Institute survey of 369 business continuity and resilience professionals in 61 countries found that two thirds of respondents had experienced at least one cyber incident in the previous 12 months, and 15 percent had experienced at least 10 cyber incidents during the same period.
The survey, sponsored by Crises Control, also found that while 31 percent of respondents said they’re able to respond to cyber incidents within one hour, 44 percent said it takes them more than two hours to do so, and 19 percent said it takes them four hours or more.
Sixty percent of companies said they had been hit by phishing and social engineering attacks within the past 12 months, 37 had been hit by spear phishing attacks, 45 percent had been hit by malware attacks, and 24 percent had suffered denial of service attacks.
And while 73 percent of respondents said cyber incidents over the past year had cost them less than €50,000, six percent reported annual costs of more than €500,000.
“Cyber attacks tend to target the weakest links of an organization, and this calls for a greater awareness of cyber crime,” Business Continuity Institute chairman David James-Brown said in a statement. “As the cyber threat evolves, it is crucial to stay on top of it, building long-term initiatives and regularly updating recovery plans.”