Report: Significant gap between IT staff and executives' understanding of security

According to survey results emailed to Infosecurity, researchers found that there is a clear difference between the confidence of executive teams when it comes to UK business’ cyber-defense strategy, compared with the views of the technicians tasked with maintaining it. Specifically, 32% of executives described their organization’s cybersecurity posture as “excellent.” But only 18% of technicians did.

Ponemon also found that 77% of executives feel their organizations’ cybersecurity strategy is aligned with overall business objectives, compared to 97% of technicians. This discrepancy suggests that technicians are clearly failing to frame their needs in language that is understood by IT decision makers – something that is leading to a culture of miscommunication, and is preventing many organizations from developing a robust cyber defense strategy.

“Low awareness of current risks and lack of communication are evidently rife in UK organizations,” said Greg Day, CTO of EMEA at FireEye, in a statement. “This is particularly concerning as it impacts the ability to make smart investments – without which effective defenses against advanced, targeted attacks cannot be built. Worryingly, it is these types of attacks that typically have highest impact on businesses.”

Meanwhile, 41% of executives and 46% of technicians reported an increase in advanced malware and zero-day attacks on their business in the past year, with 69% of executives and 76% of technicians also indicating their organization had suffered a data breach in this period. Yet despite this, 45% of executives and 44% of technicians reported that insufficient resources present an obstacle to obtaining an optimal cyber defense infrastructure and strategy.

The disconnect is also evident when considering that 46% of executives and 49% of technicians felt a lack of collaboration with other functions was hindering their IT security posture. This indicates that despite the vast sums of money spent globally by enterprises to mitigate the risk to businesses, organizations are still under-resourced and inadequately equipped to combat the mounting threat facing them, Ponemon noted.

“The upshot of this report is that the level of investment in cyber defences is simply not aligned with the escalating threat level in the UK,” Day continued. “The striking disconnect between executives and technicians suggests that businesses are ill-equipped and unprepared, despite the fact that targeted and sophisticated attacks are skyrocketing. The fact remains that organizations with intellectual property and other sensitive data within their networks are a lucrative target for hackers, and with the stakes higher than ever, enterprise teams must unite and make sure that they are all on the same page, in order to reduce the overall risk.”

Unsurprisingly, the survey also revealed the limitations of traditional security defenses as reported by practitioners, with 43% reporting that the security technologies currently in use by their organization do not detect and block modern day attacks. This is compared with just 23% of executives who seem to invest significantly more confidence in these tools. A large proportion of respondents also cited manual inspection as a primary method of tracking the source of attacks and malware infections, indicating that traditional, labor intensive security is still widespread, despite the changing nature of the threat.

What’s hot on Infosecurity Magazine?