The results of Infosecurity Europe’s 2015 survey are now in – and the research indicates that the key driver of businesses’ security and response strategies is the escalating number of high-profile, headline-grabbing threats and breaches.
Launched back in November, and entitled Intelligent Security: Protect. Detect. Respond. Recover, the research report is based on a sample of 1336 information security professionals, around three-quarters of them based in Europe.
According to 67% of respondents, well-publicized incidents such as Target, Sony and JP Morgan, along with vulnerabilities like Heartbleed and Shellshock, are having a positive impact on businesses’ understanding of potential threats.
A corresponding number (62%) reported that reputational damage was the worst possible outcome their organizations could face in the wake of an incident. It would appear that industry horror stories from 2014 and early 2015 are resonating.
This is perhaps unsurprising, given that 58% of the sample report that they are currently detecting more incidents on their networks than they were 12 months ago.
In addition, 44% of professionals surveyed believe that the key driver of security strategy and investment in their organization is the complex and evolving threat landscape.
However, while awareness of security threats is improving, alongside the understanding of reputational risk, this is not always translating into more effective security strategies and policies throughout businesses, the report finds.
Despite the buzz around incident response, and the wide acceptance within the industry that prevention-only is an outdated security model, around a third of respondents reported that their organizations continue to prioritize prevention, with only a limited focus on response.
Furthermore, 10% said they have no incident response plan or capability in place at all. Almost a quarter, meanwhile, felt that their board did not understand or accept that breaches in the current landscape are highly likely.
It’s not all bad news, though, with some results indicating a healthier security posture among many organizations than is often reported. Significantly, 88% of respondents expressed confidence that their organizations’ security capabilities are effectively preventing incidents. Despite this, a quarter claimed that they did not know if their employer had fallen victim to a breach within the last 12 months.
Meanwhile, despite oft-repeated statistics about lengthening average times between incident and detection – more than 200 days by some estimates – 62% of those respondents who had experienced a breach within the previous 12 months claimed that the incident was detected within a week. Over a quarter reported that detection occurred within 24 hours.
The research also highlights some key takeaways that businesses could use to improve security. For example, around half of those canvassed believe that apathy from employees (32%) and a lack of understanding, buy-in and engagement at a senior level (21%) are the biggest obstacles to developing a security culture, suggesting that education has a role to play.
In the quest for effective incident response, meanwhile, it is a lack of resource (33%) and a lack of communication between business units (21%) that are hindering implementation.
Infosecurity Europe 2015 is held 2-4 June at London’s Olympia