Fully 45 percent of IT pros expect their organization to be hit by a major, disruptive attack within the next 12 months, a recent Varonis survey of 500 IT decision makers in the U.S., U.K., France and Germany found.
One in four respondents say their organization was hit by ransomware in the past two years, and 26 percent have experienced the loss or theft of company data within the same period of time.
Still, 89 percent of respondents say they’re confident in their organization’s cyber security posture and believe they’re in a good position to protect themselves from attacks, and 82 percent say they’re confident that hackers don’t currently have access to their network.
At the same time, just 57 percent of respondents fully restrict access to sensitive information on a “need-to-know” basis.
“It is encouraging that IT professionals are understanding that it’s a matter of when, not if, their organization will be hit with a damaging cyber attack,” John Carlin, chair of Morrison & Foerster‘s global risk and crisis management practice, said in a statement.
“However, their level of confidence when it comes to security is inconsistent with what we see in practice,” Carlin added. “The reality is that businesses are consistently failing to restrict access to sensitive information and are regularly experiencing issues such as data loss, data theft and extortion in the form of ransomware.”
Keeping Data Safe
A separate survey of more than 600 CISOs and other security leaders, conducted by the Ponemon Institute on behalf of Radware, found that 45 percent of respondents experienced a data breach in the past year, and 68 percent aren’t confident they can keep corporate information safe.
And they’re not doing much to improve things — 52 percent of respondents don’t inspect the data they transfer via APIs, 51 percent don’t perform any security audits or analyze API vulnerabilities before integration, and 56 percent don’t have the ability to track data once it leaves the company.
Just 27 percent of respondents in healthcare are confident they can safeguard patient records, even though almost 80 percent say they’re required to comply with government regulations. Sixty-two percent of healthcare respondents have little or no confidence in their organization’s ability to implement security patches and updates rapidly.
Fully 68 percent of respondents aren’t confident they’ll be able to meet GDPR requirements when they take effect in May of 2018.
“It’s alarming that executives at organizations with sensitive data from millions of consumers collectively don’t feel confident in their security,” Radware vice president of security solutions Carl Herberger said in a statement. “They know the risks, but blind spots continue to pose a threat.”
The Best Defense
A RedSeal survey [PDF] of 600 U.K. and U.S. CISOs and senior IT decision makers found that 54 percent say they don’t have the tools and resources they need to respond to the current threat landscape, and 55 percent say they can’t react quickly enough to limit damage in the event of a major security incident.
Just 20 percent of respondents are extremely confident their organization will be able to continue running as usual after a cyber attack or data breach.
Only 25 percent of respondents’ organizations test their cyber security response to a major incident annually, if at all. Fifty-five percent admit they don’t test their strategies frequently enough because it’s resource-intensive (29 percent), outside their budget (27 percent), or takes too much time (26 percent).
“This report underscores the urgency for the leaders of cyber strategy to pivot and aggressively pursue resilience, the ability to maintain business as usual while navigating an attack, as the new gold standard,” RedSeal CEO Ray Rothrock said in a statement. “Being prepared is the best defense.”