Six in every ten businesses have experienced a breach in either in the last three years. At least a third of infosec professionals (36%) whose employers had not recently been a victim of a cyber attack also believe that it is likely that they are currently facing one without knowing about it.
This may be an indicator of a bumper year for breaches, as the total number of organizations reporting breaches in 2018 only came to 32%.
Infosec professionals are right to be concerned, as by the end of July 2019, a quarter of infosec professionals revealed that the company they work for had suffered a data breach. These findings, and more, are revealed in Bitdefender’s global Hacked Off! Study.
The study takes into account the views and opinions of more than 6,000 infosec professionals, across the UK, US, Australia, New Zealand, Germany, France, Italy and Spain. Respondents represent a broad cross-section of organizations from fledgling SMEs, through to publicly listed 10,000+ person enterprises in a wide variety of industries, including finance, government and energy.
Threats are heating up, the pressure is high, and sleep low
Against the backdrop of an increasingly complex and fast-moving threat landscape, infosec professionals are acutely aware of the risks their organizations face. Almost half (49%) report that they are kept awake at night worrying about their organization’s cybersecurity.
More than half (58%) are also worried about the readiness of their organization in dealing with a global cyberattack.
The challenge is that it’s not only the threat landscape infosec professionals are contending with. More than a third of respondents report that there is a lack of cybersecurity understanding from general employees. There’s also a problem at the top of organizations.
C-Suite support is minimal, with as many as 57% of infosec professionals revealing that key executives are the least likely to comply with organizational cybersecurity policy — either pushing back on, or completely disregarding the rules.
Furthermore, infosec professionals are suffering from breach fatigue. On average, over half (53%) of endpoint detection and response alerts are false alarms, and 49% of infosec professionals say their team experience both alert and agent fatigue.
Their stress levels are high. This is compounded by the belief that 73% of them think their organization is more at risk of a cyber attack because they are under-resourced. This is higher (78%) for companies employing more than 1,000 people.
“According to respondents, resources are such a stressor that 17% of infosec professionals have contemplated leaving their job due to under-resourcing in terms of staff. Resources are in fact such a bugbear that infosec pros say the main obstacles to their organizations’ strengthening their cybersecurity posture are a lack of budget and a lack of skilled personnel,” comments Liviu Arsene, Global Cybersecurity Researcher at Bitdefender.
There’s a need for speed, and grave consequences for being slow off the mark
There is a desperate need for the speed of response to increase. Almost one in three infosec professionals (29%) reveal that it would take a week or longer to detect an advanced cyber attack.
This is higher (39%) among those that are in organisations that provide info security training & support — which is quite surprising, as the main obstacles that prevent rapid incident detection and response are identified as being ‘lack of knowledge’ and a ‘lack of proper security tools’ (both 36%).
There’s also a catch in breach identification. Only three in every one hundred infosec professionals reported that 100% of advanced attacks can be efficiently detected and isolated. For three in every ten companies (31%), the figure is less than half — which proves that there is vast room for improvement.
The need for speed in detection and response to threats is borne from the very real consequences that companies face if their cybersecurity is not up to scratch.
The fallout from being unaware of an on-going breach, according to infosec professionals, would be ‘business interruption’ (43%), ‘reputational cost’ (38%), and a ‘loss of revenue’ (37%). But, what’s most concerning to infosec professionals is the loss of customer trust. More than a third (37%) say it is their biggest concern.
There is hope, and solutions aplenty
Despite the need for improvements, 57% of infosec professionals rate their organizations’ cybersecurity either very good or excellent.
Arsene concludes, “Poor cybersecurity is an undeniable threat to businesses today. From the loss of customer trust to the impact on the bottom line it is critical for infosec professionals to get it right.
“Our advice would be to focus on critical areas of improvement. The study reveals that infosec professionals believe that the main drivers for boosting their organizations’ cybersecurity profiles are improving data protection, and faster detection and response capabilities.
“In addition, respondents suggest investments also need to be made into more effective ways of detecting cyber threats, with ‘network traffic analysis’, and antimalware technology topping the list. And interestingly, they reveal EDR should not be discounted, with seven in ten infosec professionals believing that EDR can help prevent future attacks.”