Late last year, ESG published a research report titled Through the Eyes of Cyber Security Professionals, in collaboration with the Information Systems Security Association (ISSA). As part of this report, 437 cybersecurity professionals and ISSA members were asked if they’d experienced a number of types of security incidents. The research revealed that:
- 39% of organizations experienced one or several security incidents resulting in the need to reimage one or several endpoints or servers.
- 27% of organizations experienced one or several incidents of ransomware.
- 20% of organizations experienced one or several incidents resulting in the disruption of a business application.
- 19% of organizations experienced one or several incidents resulting in the disruption of a business process.
It should be noted that between 23% and 30% of the survey population responded “don’t know” or “prefer not to say” when asked about different types of security incidents, so the percentages represented above are likely much higher.
Why are so many organizations experiencing so many security incidents? Lots of reasons, including apathy, money, and the cybersecurity skills shortage. For example:
- 31% of organizations say that their cybersecurity teams aren't large enough for their needs and that this shortage directly led to one or several security incidents.
- 26% of organizations point to a lack of adequate training for non-technical employees as a direct cause of one or several security incidents.
- 21% of organizations say that business and executive management tend to treat cybersecurity as a low priority, and this attitude was a direct cause of one or several security incidents.
- 20% of respondents say that their cybersecurity budgets aren't big enough for the size of their organizations and that this gap was a direct cause of one or several security incidents.
It’s 2017 and cybersecurity issues are a major international issue. Despite this reality, many organizations continue to maintain the same “good enough” security attitude of the past. These organizations have no one else to blame when they are inevitably breached but unfortunately, we the people must deal with the consequences of their irresponsible actions. If this isn’t a reason for changes in public cybersecurity policies, nothing is.
Note: The two ESG/ISSA research reports are available for free download here.