Businesses recognize security as a growing imperative, but many remain on the defensive, fighting cyber threats with dated tactics and training, according to CompTIA.
Companies need to adopt proactive measures to identify weak links before they are exploited; broaden the security skills of their technology professionals; and implement top to bottom security training throughout the organization.
“Building an impenetrable defense is no longer practical and the mentality of preventing all breaches is outdated,” said Seth Robinson, senior director, technology analysis, CompTIA. “But a new, proactive approach combining technologies, procedures and education can help find problem areas before attackers discover them.”
One of the challenges for organizations is that they tend to place the greatest emphasis on the cyber threats they understand the best. Malware and viruses, two of the oldest forms of cyberattacks, typically get the most attention.
“While we certainly need to remain vigilant about these threats, many other forms of attack have emerged that can carry disastrous consequences,” Robinson said.
The majority of companies in the study expressed only mild concern that they would be the target of ransomware, a dedicated denial of service, social engineering, Internet of Things-based attacks, or SQL injections.
“While many companies have moved in the direction of cloud computing, mobile devices and other new technologies, it’s clear that a large number have failed to fully consider the corresponding security implications,” Robinson noted. “Gaining an appreciation and understanding of the many threats in play today is the first step in threat management.”
Companies are gradually shifting their focus from defense to offense. In CompTIA’s survey of business and technology executives at 350 U.S. companies, 29 percent of firms said they are highly proactive in their security posture, emphasizing detection and response. Another 34 percent said they balance a strong cyber defense with some proactive measures.
“Strong defense will always play a role, but this must be coupled with external audits, penetration testing and other proactive measures,” Robinson advised.
The human factor
Training (60 percent of companies surveyed) and certification (48 percent) are generally the favored methods of building advanced security expertise for their technology professionals. Organizations that follow through on certifications after training find that they provide a higher degree of credibility, better proof of knowledge and improved candidacy for open positions.
Companies are also more understanding of the need to develop a security-aware culture, from the executive team through middle managers to the general staff. The survey found that 58 percent of companies offer security training during new employee orientation; 46 percent perform random audits; and 35 percent offer “live fire” hands-on labs.