With such an abundance of information around attack methods, vulnerabilities, and potential targets, you would think IT has a handle on cybersecurity. Accenture shows us they don’t.
I’m just going to say it – there is no excuse for not being ready for cyberattack today! That doesn’t mean your organization is 100% protected and an attack will never happen; I mean your organization has industry data, native and 3rd party solutions, expertise, and best practices all available to it – there’s no reason why organizations don’t have a handle on cyberattacks and the ways to prevent, detect, and remediate them.
In Accenture’s recent Mid-Year Update of their 2018 Cyber Threatscape Report, they open up with a very disturbing finding - 71% of CISOs feel cyberattacks remain a “bit of a black box” and states that they “do not quite know how or when [attacks] will affect our organization.” This is a bit disturbing – the notion of cyberattacks being a “black box” means CISOs don’t understand how attacks happen, the techniques used, the true risk potential of an attack, and how to prevent, protect, detect, and respond to attacks.
Part of the problem is the lack of threat intelligence – Accenture points out the need for organizations to stay ahead of cyber threats, rather than simply responding to incidents when their a cyberattack is detected. Whether continually following industry best practices, using solutions that leverage machine learning, or staying educated on attacks, organizations will be well-served to improve their internal expertise on cyber threats.
Another problem is a lack of security culture – Accenture found that only 13% of organizations take future threats into consideration when planning budgets. This is indicative of a very shallow vision for the need for security now and in the future. A true security culture looks at both the current state of attack, and what’s coming next – cybercriminals aren’t going to wait for you to catch up; their opportunity is now.
So creating a culture of security – within the executive team, IT, and the organization’s employees – is critical for the prevention of successful cyberattack. Elevating the notion that it’s everyone’s job to protect the organization from attack sets the tone. Educating users on how to spot attacks and what to do about it through Security Awareness Training is a simple step that improves the organization’s cyber-preparedness, and increases executive awareness of the problem, resulting in a stronger focus on security in the face of cyberattack now and in the future.