The growth in both the volume and complexity of cyberattacks is presenting unprecedented challenges for organizations, which are struggling to devote the necessary resources for keeping pace with the threat landscape.
According to the second installment of ISACA’s 2017 State of Cyber Security Study, emerging threats such as internet of things (IoT) security and ransomware attacks are often not being adequately accounted for in training budgets and security programs. This, even though more than half (53%) of survey respondents reported a year-over-year increase in cyberattacks for 2016, representing a combination of changing threat entry points and types of threats.
A full 80% of the security leaders who participated in the survey believe it is likely their enterprise will experience a cyberattack this year.
The report found that IoT overtook mobile as primary focus for cyber-defenses as 97% of organizations see rise in its usage. As IoT becomes more prevalent in organizations, cybersecurity professionals need to ensure protocols are in place to safeguard new threat entry points.
A majority (62%) reported experiencing ransomware in 2016, but only 53% have a formal process in place to address it—a concerning number given the significant international impact of the recent WannaCry ransomware attack.
Malicious attacks that can impair an organization’s operations or user data remain high in general (78% of organizations reporting attacks).
Additionally, fewer than a third of organizations (31%) say they routinely test their security controls, and 13% never test them; 16% do not have an incident response plan.
“There is a significant and concerning gap between the threats an organization faces and its readiness to address those threats in a timely or effective manner,” said Christos Dimitriadis, ISACA board chair and group head of information security at INTRALOT. “Cybersecurity professionals face huge demands to secure organizational infrastructure, and teams need to be properly trained, resourced and prepared.”
The good news is that more organizations than ever now employ a chief information security officer—65%, up from 50% in 2016. However, security leaders continue to struggle to fill open cybersecurity positions.
As ISACA detailed in part 1 of this year’s State of Cyber Security report, nearly half (48%) of respondents don’t feel comfortable with their cyber-team’s ability to address anything beyond simple cybersecurity issues. Additionally, more than half of all respondents say cybersecurity professionals lack an ability to understand the business.
Though training is critically needed to address these skill shortages, a quarter of organizations have training budgets of less than $1,000 per cybersecurity team member. While overall cybersecurity budgets remain strong, fewer organizations are increasing their budgets this year. About half will see budget increases, down from 61% in 2016.
“The rise of CISOs in organizations demonstrates a growing leadership commitment to securing the enterprise, which is an encouraging sign,” said Dimitriadis. “But that’s not a cure-all. With the number of malicious attacks increasing, organizations can’t afford a resource slowdown. Yet with so many respondents showing a lack of confidence in their teams’ ability to address complex issues, we know there is more that must be done to address the urgent cybersecurity challenges faced by all enterprises.”