Cybersecurity in 2017
IT decision-makers at large companies in the US invest in cybersecurity and stress security software and data storage as the cornerstones of cybersecurity policy.
Companies also grapple with employees' disdain for strict policy enforcement. Overall, investing in communication and technology is the key to strengthening cybersecurity policies.
To examine the state of cybersecurity among large US companies and how they address both internal and external cybersecurity risk, Clutch surveyed 300 IT decision-makers at companies with 500+ employees.
- Required security software (84%) and how to back up data (81%) are the most important elements of cybersecurity policies.
- Large companies experience phishing attacks (57%) more often than any other form of cybersecurity attack.
- Companies prioritize communicating their policy (85%) over enforcing it (66%).
- More than half of IT decision-makers (52%) describe how their companies enforce cybersecurity policies as “moderate,” compared to “strict” (47%).
Using the results collected from this survey, we communicate how businesses approach cybersecurity in 2017 and how they plan to address future security threats.
Most Large US Companies Have a Cybersecurity Policy
Nearly all large businesses surveyed (94%) have a cybersecurity policy.
Among this group, 87% created a policy at least three years ago.
Large US companies are more likely to have a cybersecurity policy than most global organizations, two-thirds of which lack a formal cybersecurity policy.
Cybersecurity Policies Focus on Software Requirements, Data Backup
Cybersecurity policies most commonly include required security software (84%), how to back up data (81%), how to detect scams (79%), and how to report security incidents (78%).
The security measures large businesses include in their cybersecurity policies reflect overarching security concerns identified in Accenture’s 2016 State of Cybersecurity Report(link is external). According to this research, data loss and data theft are top areas of cybersecurity concern, issues that investing in security software and data backup address.
Phishing Attacks Pose Larger Threat Than Ransomware
Over half of IT decision-makers (57%) say their company has experienced a phishing attack in the past 12 months.
Our finding that email phishing is the most common security threat is consistent across other research conducted in 2017. A survey of 302 website managers also found that email phishing is the most common attack affecting websites.
Surprisingly, only 21% reported a ransomware attack on their company in the past year. The security concern and frequency of ransomware attacks draws an underwhelming comparison to the amount of attention that strand of cybersecurity attack receives.
In the first half of 2017, multiple global ransomware attacks drew international media coverage. Namely, the global ransomware attack “WannaCry” affected businesses on six continents (Antarctica miraculously survived unscathed) and caused $8B of damages worldwide. The next month, another ransomware attack, originating in Ukraine, caused $850M in global damages.
While large-scale ransomware attacks apparently affect few large US businesses, these attacks motivate companies to strengthen their defense against cyber threats, according to industry experts.
“The attacks are eye-opening for companies of all sizes, but in particular for larger companies,” said Tom DeSot, Chief Information Officer for Digital Defense, Inc., a San Antonio-based cybersecurity firm.
Evan Francen, CEO of FRSecure, a Minnesota-based cybersecurity company, casts aside concerns that news coverage of ransomware attacks will cause companies to devote disproportional resources to ransomware instead of other, more common attacks.
“I think all the coverage is positive. I’m not concerned about this particular boogeyman distracting from these other 18 potential boogey men,” Francen said.
News coverage of ransomware attacks is positive because it raises awareness about how important it is to have cybersecurity policies in place.
Companies Prioritize Communication and Policy Compliance
Businesses implement cybersecurity policies that focus on communication and training more than enforcement.
Communicating policy to employees is the primary method of cybersecurity implementation for 85% of firms, while slightly more than three-fourths monitor policy compliance (79%) and train employees to follow policy (77%).
When companies focus on communication, compliance, and training, they address two central cybersecurity concerns: the evolving cybersecurity threat landscape and internal risk posed by employees.
1. Cybersecurity Threats are Evolving
Cybersecurity threats evolve with technology. Thus, the threat of attack is constant. The most effective way to combat perennial cybersecurity threats is to update and effectively communicate policy, according to DeSot.
“The challenge of cybersecurity is that the threat landscape changes on a continual basis. What is good for protecting your company one day may fall short the next. If policies aren’t kept up-to- date and the employees aren’t trained to understand what the latest threats that the company is facing, [companies] leave themselves open for attack,” said DeSot.
To DeSot, some cybersecurity risk occurs unknowingly due to an absence of organizational communication and guidance for cybersecurity policies, an issue that is amplified by an evolving threat landscape.
In his experience, companies that excel at communicating policy are the most prepared for current and future cybersecurity threats.
2. Employees are a Major Threat to Cybersecurity
Employees are a major security liability for every company.
“It all comes down to humans. They are the number one risk factor for both internal and external security concerns,” said Brian Gill, CEO of Gillware, a Wisconsin-based data recovery firm.
CompTia’s 2016 International Trends in CyberSecurity report states that 58% of global firms struggle more with security threats caused by human error than technology risks, an issue that 61% say has become more of a risk over the past two years.
The report cites “general carelessness” as the top source of human cybersecurity error.
Employees use of personal mobile devices and remote work are two factors that affect the level of internal risk at large companies. Employees who use personal devices to access work-related data or connect to unprotected WiFi networks put their company at risk. In fact, three of the top four mobile security concerns among large companies include open WiFi networks, unauthorized apps, and BYOD.
Remote work makes using unsecured devices and networks more likely. Our study finds that 89% of companies allow their employees to work remotely.
Nearly three-fourths (74%) of companies also allow their employees to use personal devices for work.
However, both Tom DeSot and Evan Francen say the relationship between human error and cybersecurity is a result of shortcomings in communication and training.
To promote employee comprehension of a company’s cybersecurity policy, Francen recommends the recent industry trend of “gamifying” policy compliance. For example, a company will send out a phony “phishing” scam email to test how well employees comply with company policy, and the employees that correctly identify the email as a phishing scam receive a reward.
Businesses Need to Balance Enforcement and Human Resources
Employees’ perception of their companies’ policies underscores the human resources component of cybersecurity: companies need to balance employee concerns with enforcing consequences for violating cybersecurity policy.
Over half of IT decision-makers (52%) describe the enforcement of their company’s policy as “moderate.”
Employees do not enjoy being monitored or punished for violating cybersecurity policy, and companies that prioritize enforcement over human interests risk damaging employee morale and company culture.
There has to be teeth in a policy for it to matter to people. If there are no consequences for breaking the policy, then why do you have a policy in the first place? At the same time, if someone violates the policy and they’re immediately terminated, it has a hit on morale within the company because then you have people that are scared to do their jobs because they’re scared they’re doing to do something wrong and get fired. –Tom DeSot, CEO, Digital Defense
Some monitoring and enforcement are necessary to give policies a backbone. “Nobody wants to have big brother paying attention to what they’re surfing for on the internet. But, the cold reality is companies do need a firewall,” said Gill.
Finding a balance that allows employees to do their jobs without fearing company oversight, while understanding of the consequences for violating the policy, is the key to addressing human resources concerns of cybersecurity.
Investing in Technology Results in Cybersecurity Benefits
More than 70% of businesses plan to invest more in cybersecurity over the next year.
Companies that invest more in cybersecurity can afford to hire in-house resources or a cybersecurity company to combat cyber threats.
One-third of respondents (33%) say investing in technology, such as security software, secure mobile apps, and other IT services, will improve their cybersecurity policy.
Matt Patus, Lead Security Engineer for Matrix Integration, an Indiana-based IT solutions company, links investing in cybersecurity technology to adopting a company culture that prioritizes security.
“Companies are adopting a ‘culture of security’ where there is an increased investment in technology to protect them before, during and after an attack,” said Patus.
The improvement driven by investing in technology allows companies to experience the full benefits of a more effective cybersecurity policy. Over 60% say the main benefits of a cybersecurity policy are protection from external or internal threats.
Investing in technology brings protection from external threats, reduced internal threats, ensures compliance with policy and brings peace-of-mind to large companies.
Well-Funded Cybersecurity Policies Protect Large Companies
Clutch’s survey shows that cybersecurity policies of large US businesses focus on security protocol and data protection, two areas that echo global security concerns. These businesses view investing in technology as the key to protecting them from security attacks, particularly phishing scams.
However, large companies also face a human resources dilemma with their cybersecurity policies, as they must balance the interests of their employees with enforcing their policy. The key to reaching this balance, according to industry experts, is effective communication and training.
If companies can reduce internal threats, they reap the full benefits of a cybersecurity policy, especially the protection from external threats.
About the Survey
Clutch surveyed 304 IT decision-makers at companies with 500+ employees. 77% of respondents worked at companies with over 1,000 employees. 70% hold positions above manager level.
By Grayson Kemper