Despite years of widespread data breaches and increased regulatory demands, 75 percent of respondents to a recent survey do not believe that they have an adequate information security budget.
Additionally, attackers continue to successfully use compromised credentials in attacks, and while 93 percent of organizations surveyed are aware of the vulnerability and attack technique — they have much more work to do to protect themselves.
These are the top findings from a survey (pdf) of more than 350 organizations based in North America, conducted by security awareness and training services provider KnowBe4. Not surprisingly, 81 percent of organizations, on average, had some level of concern regarding security issues.
Of the top types of attacks, phishing and ransomware ranked just below the compromising of credentials. The report also found:
- 92 percent of organizations rank users as their primary security concern. And at the same time, security awareness training along with phishing testing topped the list of security initiatives that organizations need to implement.
- Organizations today have a large number of attack vectors to prevent, monitor for, detect, alert and remediate. In terms of attacks, 95 percent of organizations are most concerned with data breaches.
- Ensuring security is in place to meet GDPR requirements is still a challenge for 64 percent of organizations, despite details of the regulation being out for quite some time.
Most every security professional is aware that layered security practices are more effective. For example, should an attacker manage to get around defenses, a mature and effective security program that includes monitoring and response could identify the breach and mitigate it quickly. Compare that to an organization that has little to no monitoring that finds out they’ve been breached from a partner or a notification from law enforcement after data has been found circulating in underground forums.
While most organizations are aware of the need for a layered security strategy, many have yet to implement such a program. The survey found that while 42 percent of organizations have one or more of the initiatives commonly found in a layered security strategy in place, they typically only utilize three out of the eleven practices, which are:
- Security awareness training (80 percent concerned about implementation)
- user phishing testing (78 percent)
- multifactor authentication (73 percent)
- supply chain security (73 percent)
- IoT security (70 percent)
- identity management (70 percent)
- insider threat detection (69 percent)
- incident response (67 percent)
- cloud security (60 percent)
- secure file transfer (51 percent)
- endpoint protection (42 percent)
Interestingly, those organizations that lacked a healthy security culture were 70 percent more likely to have serious concerns with negligent users.
*** This is a Security Bloggers Network syndicated blog from Cybersecurity Matters – DXC Blogs authored by Cybersecurity Matters. Read the original post at: https://blogs.dxc.technology/2019/03/12/majority-of-organizations-still-report-a-lack-of-cyber-security-budget/