August 31, 2017

Clutch Report: How Large Businesses Approach Cybersecurity in 2017

By Cloud Syndicate

Cybersecurity IT decision-makers at large companies in the US invest in cybersecurity and stress security software and data storage as the cornerstones of cybersecurity policy. Companies also grapple with employees’ disdain for strict policy enforcement. Overall, investing in communication and technology is the key to strengthening cybersecurity policies. To examine the state of cybersecurity among large […]

Cybersecurity

IT decision-makers at large companies in the US invest in cybersecurity and stress security software and data storage as the cornerstones of cybersecurity policy.

Companies also grapple with employees’ disdain for strict policy enforcement. Overall, investing in communication and technology is the key to strengthening cybersecurity policies.

To examine the state of cybersecurity among large US companies and how they address both internal and external cybersecurity risk, Clutch surveyed 300 IT decision-makers at companies with 500+ employees.

Our Findings

  • Required security software (84%) and how to back up data (81%) are the most important elements of cybersecurity policies.
  • Large companies experience phishing attacks (57%) more often than any other form of cybersecurity attack.
  • Companies prioritize communicating their policy (85%) over enforcing it (66%).
  • More than half of IT decision-makers (52%) describe how their companies enforce cybersecurity policies as “moderate,” compared to “strict” (47%).

Using the results collected from this survey, we communicate how businesses approach cybersecurity in 2017 and how they plan to address future security threats.

Most Large US Companies Have a Cybersecurity Policy

Nearly all large businesses surveyed (94%) have a cybersecurity policy.

Among this group, 87% created a policy at least three years ago.

Large US companies are more likely to have a cybersecurity policy than most global organizations, two-thirds of which lack a formal cybersecurity policy.

Cybersecurity Policies Focus on Software Requirements, Data Backup

Cybersecurity policies most commonly include required security software (84%), how to back up data (81%), how to detect scams (79%), and how to report security incidents (78%).

The security measures large businesses include in their cybersecurity policies reflect overarching security concerns identified in Accenture’s 2016 State of Cybersecurity Report. According to this research, data loss and data theft are top areas of cybersecurity concern, issues that investing in security software and data backup address.

Phishing Attacks Pose Larger Threat Than Ransomware

Over half of IT decision-makers (57%) say their company has experienced a phishing attack in the past 12 months.

Our finding that email phishing is the most common security threat is consistent across other research conducted in 2017. A survey of 302 website managers also found that email phishing is the most common attack affecting websites.

Surprisingly, only 21% reported a ransomware attack on their company in the past year. The security concern and frequency of ransomware attacks draws an underwhelming comparison to the amount of attention that strand of cybersecurity attack receives.

In the first half of 2017, multiple global ransomware attacks drew international media coverage. Namely, the global ransomware attack “WannaCry” affected businesses on six continents (Antarctica miraculously survived unscathed) and caused $8B of damages worldwide. The next month, another ransomware attack, originating in Ukraine, caused $850M in global damages.

While large-scale ransomware attacks apparently affect few large US businesses, these attacks motivate companies to strengthen their defense against cyber threats, according to industry experts.

The attacks are eye-opening for companies of all sizes, but in particular for larger companies,” said Tom DeSot, Chief Information Officer for Digital Defense, Inc., a San Antonio-based cybersecurity firm.

Evan Francen, CEO of FRSecure, a Minnesota-based cybersecurity company, casts aside concerns that news coverage of ransomware attacks will cause companies to devote disproportional resources to ransomware instead of other, more common attacks.

I think all the coverage is positive. I’m not concerned about this particular boogeyman distracting from these other 18 potential boogey men,” Francen said.

News coverage of ransomware attacks is positive because it raises awareness about how important it is to have cybersecurity policies in place.

Companies Prioritize Communication and Policy Compliance

Businesses implement cybersecurity policies that focus on communication and training more than enforcement.

Communicating policy to employees is the primary method of cybersecurity implementation for 85% of firms, while slightly more than three-fourths monitor policy compliance (79%) and train employees to follow policy (77%).

When companies focus on communication, compliance, and training, they address two central cybersecurity concerns: the evolving cybersecurity threat landscape and internal risk posed by employees.

1. Cybersecurity Threats are Evolving

Cybersecurity threats evolve with technology. Thus, the threat of attack is constant. The most effective way to combat perennial cybersecurity threats is to update and effectively communicate policy, according to DeSot.

“The challenge of cybersecurity is that the threat landscape changes on a continual basis. What is good for protecting your company one day may fall short the next. If policies aren’t kept up-to- date and the employees aren’t trained to understand what the latest threats that the company is facing, [companies] leave themselves open for attack,” said DeSot.

To DeSot, some cybersecurity risk occurs unknowingly due to an absence of organizational communication and guidance for cybersecurity policies, an issue that is amplified by an evolving threat landscape.

In his experience, companies that excel at communicating policy are the most prepared for current and future cybersecurity threats.

2. Employees are a Major Threat to Cybersecurity

Employees are a major security liability for every company.

It all comes down to humans. They are the number one risk factor for both internal and external security concerns,” said Brian Gill, CEO of Gillware, a Wisconsin-based data recovery firm.

CompTia’s 2016 International Trends in CyberSecurity report states that 58% of global firms struggle more with security threats caused by human error than technology risks, an issue that 61% say has become more of a risk over the past two years.

The report cites “general carelessness” as the top source of human cybersecurity error.

Employees use of personal mobile devices and remote work are two factors that affect the level of internal risk at large companies. Employees who use personal devices to access work-related data or connect to unprotected WiFi networks put their company at risk. In fact, three of the top four mobile security concerns among large companies include open WiFi networks, unauthorized apps, and BYOD.

Remote work makes using unsecured devices and networks more likely. Our study finds that 89% of companies allow their employees to work remotely.

Nearly three-fourths (74%) of companies also allow their employees to use personal devices for work.

However, both Tom DeSot and Evan Francen say the relationship between human error and cybersecurity is a result of shortcomings in communication and training.

To promote employee comprehension of a company’s cybersecurity policy, Francen recommends the recent industry trend of “gamifying” policy compliance. For example, a company will send out a phony “phishing” scam email to test how well employees comply with company policy, and the employees that correctly identify the email as a phishing scam receive a reward.

Businesses Need to Balance Enforcement and Human Resources

Employees’ perception of their companies’ policies underscores the human resources component of cybersecurity: companies need to balance employee concerns with enforcing consequences for violating cybersecurity policy.

Over half of IT decision-makers (52%) describe the enforcement of their company’s policy as “moderate.”

Employees do not enjoy being monitored or punished for violating cybersecurity policy, and companies that prioritize enforcement over human interests risk damaging employee morale and company culture.

There has to be teeth in a policy for it to matter to people. If there are no consequences for breaking the policy, then why do you have a policy in the first place? At the same time, if someone violates the policy and they’re immediately terminated, it has a hit on morale within the company because then you have people that are scared to do their jobs because they’re scared they’re doing to do something wrong and get fired. –Tom DeSot, CEO, Digital Defense

Some monitoring and enforcement are necessary to give policies a backbone. “Nobody wants to have big brother paying attention to what they’re surfing for on the internet. But, the cold reality is companies do need a firewall,” said Gill.

Finding a balance that allows employees to do their jobs without fearing company oversight, while understanding of the consequences for violating the policy, is the key to addressing human resources concerns of cybersecurity.

Investing in Technology Results in Cybersecurity Benefits

More than 70% of businesses plan to invest more in cybersecurity over the next year.

Companies that invest more in cybersecurity can afford to hire in-house resources or a cybersecurity company to combat cyber threats.

One-third of respondents (33%) say investing in technology, such as security software, secure mobile apps, and other IT services, will improve their cybersecurity policy.

Matt Patus, Lead Security Engineer for Matrix Integration, an Indiana-based IT solutions company, links investing in cybersecurity technology to adopting a company culture that prioritizes security.

Companies are adopting a ‘culture of security’ where there is an increased investment in technology to protect them before, during and after an attack,” said Patus.

The improvement driven by investing in technology allows companies to experience the full benefits of a more effective cybersecurity policy. Over 60% say the main benefits of a cybersecurity policy are protection from external or internal threats.

Investing in technology brings protection from external threats, reduced internal threats, ensures compliance with policy and brings peace-of-mind to large companies.

Well-Funded Cybersecurity Policies Protect Large Companies

Clutch’s survey shows that cybersecurity policies of large US businesses focus on security protocol and data protection, two areas that echo global security concerns. These businesses view investing in technology as the key to protecting them from security attacks, particularly phishing scams.

However, large companies also face a human resources dilemma with their cybersecurity policies,  as they must balance the interests of their employees with enforcing their policy. The key to reaching this balance, according to industry experts, is effective communication and training.

If companies can reduce internal threats, they reap the full benefits of a cybersecurity policy, especially the protection from external threats.

About the Survey

Clutch surveyed 304 IT decision-makers at companies with 500+ employees. 77% of respondents worked at companies with over 1,000 employees. 70% hold positions above manager level.

By Grayson Kemper

Cloud Syndicate

Welcome to the 'Cloud Syndicate,' a curated community featuring short-term guest contributors, curated resources, and syndication partners covering diverse technology topics. Connect your technology article or news feed to our syndication network for broader visibility. Explore the intersections of cloud computing, Big Data, and AI through insightful articles and engaging podcasts. Stay ahead in the dynamic world of technology with our platform for thought leadership and industry news.

Join us as we delve into the latest trends and innovations.

5 Azure Cost Management Strategies

What Is Azure Cost Management? Azure cost management refers to the practices and processes that [...]
Read more
Katrina Thompson

Why Zombie APIs are Such an Important Vulnerability

Zombie APIs APIs have a lifecycle, the same as anything else. They are born, they [...]
Read more

A.I. is Not All It’s Cracked Up to Be…At Least Not Yet!

Exploring AI’s Potential: The Gap Between Aspiration and Reality Recently Samsung releases its new Galaxy [...]
Read more
Jeff DeVerter

Charting the Course: An Interview with Rackspace’s Jeff DeVerter on AI and Cloud Innovation

Rackspace’s Jeff DeVerter on AI & Cloud Innovation In an insightful conversation with CloudTweaks, Jeff [...]
Read more
Steve Prentice

Get Smarter – The Era of Microlearning 

The Era of Microlearning Becoming employable and then staying employable requires ongoing, up to date [...]
Read more
Steve Prentice

Episode 19: Why AWS Needs to Become Opinionated about FinOps

On today’s episode of the CloudTweaks podcast, Steve Prentice chats with Rahul Subramaniam, CEO at CloudFix [...]
Read more

SPONSORS

Interviews and Thought Leadership

Srini Kalapala

Driving Growth: Srini Kalapala Discusses Verizon’s Network APIs

Welcome to our interview with Srini Kalapala, Senior VP of Technology and Product Development at Verizon. Today, we explore how Verizon’s network APIs are reshaping global developer landscapes and enhancing [...]
Read more
Michael Kleef

Akamai’s Michael Kleef Reveals Key Shifts in Cloud Computing Landscape

Welcome to a conversation with Michael Kleef, Vice President of Product Marketing, Developer Advocacy, and Competitive Intelligence at Akamai Technologies. Today, we’re privileged to have him share his insights with [...]
Read more

Exploring SaaS Directories: The Path to Optimal Software Selection

Exploring the Landscape of SaaS Directories SaaS directories are vital in today’s digital age, serving as key resources for businesses [...]
Read more

Karen Buffo, CMO of MixMode, on the Rise of AI in Safeguarding Digital Assets

Welcome to our Q&A session with Karen Buffo, CMO of MixMode, hosted by CloudTweaks. Today, we’ll explore the profound impact [...]
Read more

Top Cloud Cost Optimization Strategies for Multi-Cloud Environments

The age-old saying “Don’t put all your eggs in one basket” has found a new resonance in today’s cloud landscape. [...]
Read more

SPONSOR PARTNER

Explore top-tier education with exclusive savings on online courses from MIT, Oxford, and Harvard through our e-learning sponsor. Elevate your career with world-class knowledge. Start now!
© 2024 CloudTweaks. All rights reserved.