Is your business neglecting basic cybersecurity?

A new report finds organizations are dangerously underprepared for cybersecurity breaches. Is your business included?
8 February 2019

An engineer works on a server rack. Source: AFP

No shortage of measures are available to quash the risk of cybersecurity breaches within your business, whether that comes down to ensuring the right policies are in place among staff, protecting your company’s network with a firewall, encrypting the data you store, taking out cybersecurity insurance, or otherwise.

But despite the resources available, approximately a third of organizations still admit that they are largely unprepared for cyber attacks, according to research by eSecurity Planet’s 2019 State of IT Security survey.

While that finding is rather bleak, the survey also found that more than half of companies (54 percent) plan to increase their IT spend on security this year. Just shy of a third said they would up spend on the area by 10 to 20 percent more.

Some of that planned spend is probably being reserved for getting the right people for the job. eSecurity found that 57 percent of firms were planning to hire security staff within the next year— prompting “hope” among the report’s authors— despite a global shortage of around three million cybersecurity specialists.

According to the report, one of the most crucial activities organizations can undertake in preparation of a cyber attack is penetration testing— and it’s no surprise that this activity was lacking within companies across the board.

A requirement of any business taking credit card payments or handling credit card data, penetration testing involves IT security experts attempting to bypass an organization’s cybersecurity defenses, reviewing any weaknesses or misconfiguration, and benchmarking the system’s overall integrity as a result.

According to eSecurity, across organizations of all sizes, more than a fifth said they conducted penetration testing infrequently— 18 percent said they never conducted any such testing. Ultimately, it amounts to 39 percent of companies overlooking a critical security process.

But the findings worsen among smaller enterprises. While for organizations of 10,000 or more employees, 15 percent claimed to conduct penetration tests infrequently or never, for those of fewer than 100 employees, that figure sat at 60 percent— or nearly two-thirds of businesses.

The pattern of smaller businesses being more unprepared was reinforced when respondents were asked how often their business conducted threat hunting exercises— which involves the proactive and iterative searching through networks to detect and isolate advanced threats that evade existing solutions.

More than half (51 percent) of larger organizations— which are more likely to be under heavy regulation, such as in finance and healthcare— were involved in threat hunting once a year or more, while that number dropped to 40 percent for businesses of 100 employees or fewer.

Small IT companies are the exception, with most very confident in their security defenses.

The report reminds, however, that cybersecurity threats are generally agnostic to the size of a business, and the weight of responsibility to protect an organization and its data rests on businesses of all sizes.

As such, based on common cybersecurity preparedness ‘gaps’, eSecurity recommends several areas that businesses should focus on in order to improve their defenses.

Regular vulnerability testing

It doesn’t matter how you do it— whether it’s conducted by your internal IT team, an external consultant, or with breach and attack simulation software— investing in frequent, or even continuous, vulnerability testing should be high priority.

Don’t avoid threat hunting

While it’s unavoidable that some attacks will get through an organization’s defenses— that’s no reason an attack should be allowed to persist and cause further damage. Threat hunting should be a constant matter of diligence.

Preparedness isn’t permanent

Cybersecurity preparedness is an ongoing activity, not something that can ticked off the list and forgotten about. Businesses must review technologies, processes and deployments regularly, continually ensuring defences are as robust as possible.