Even with the increase in threats and actual experienced attacks, executive and IT teams alike feel like they’re simply not ready for the next attack.
You are already well-aware that cyber-security is paramount to the success of your organization. Many of you likely fall into the 45% of organizations that have experienced one or more attacks in the last 12 months, with the cost of responding to an incident ranging anywhere from $500 to $25 million. Of those experiencing attacks, 67% experienced two or more in a 12-month period. And yet, organizations just like yours are only spending an average of 1.7% of revenue on cyber resilience.
Attacks include the usual suspects – phishing attacks, ransomware, malware intent on establishing a foothold for a data breach attack, and drive-by attacks that compromise websites in order to infect future visitors.
With the threat of attack and the risk of compromise to high, the obvious question is why aren’t organizations ready?
The answer may be found by looking at a few stats from a recent survey by global advisory organization Willis Towers Watson:
- Only 15% believe they have an adequate cyber-savvy workforce
- Only 23% feel the organization can assess & quantify risk well
- Only 13% of boards feel their organization is properly learning from past incidents
An organization’s ability to assess risk, then formulate and execute a security plan all revolves around the issue of budget. According to Willis Towers Watson, 73% of boards feel they need to be increasing security spend by 10% or more.
So, where should you spend it?
- Staff – you need IT staff focused on a lifecycle of improving security and responding to incidents.
- Education – your IT team needs a security-mindset, incorporating security controls into established processes and new projects. Obtaining security-focused education will help elevate their understanding of existing risk and the importance of proper security.
- Layered Security – don’t put your security eggs in one solution basket. A defense in depth strategy is the best way to put up defenses that can stop an attack.
- Culture – no other aspect of security reduces the risk of malware or ransomware infection like creating a security culture within the organization using Security Awareness Training.
And that security culture needs to start at the top – getting executive teams and the board to recognize the importance of cyber security is the only way of successfully doing business today. Once the leadership believes in the need for security to permeate every part of the business, budget will be allocated, appropriate staffing will increase, better strategy will be executed, and a security-mindset will spread across the organization – all putting the organization in an elevated state of readiness for the next attack.