Despite more organizations feeling that they are getting worse at preventing data breaches, the number of businesses that feel better prepared to respond to incidents is on the rise, according to the latest survey from the not-for-profit industry body the Institute of Information Security Professionals (IISP).
In its third year, the IISP survey asked organizations two correlating questions about data breaches. Questions look to understand how protected from a breach companies feel, as well as how prepared they are to respond to and recover from a security incident.
The number of organizations that feel they are getting worse at preventing a security breach doubled this year, up to 18% from only 9%. According to the survey report, "The only figure that showed growth of any significance was in the percentage of people that thought we had got worse as an industry at defending systems."
In a press release, Piers Wilson, director at the IISP, said, "These results reflect the difficulty in defending against increasingly sophisticated attacks and the realization that breaches are inevitable."
The survey results indicate that both budget constraints and the skills shortage contribute to the challenges of breach prevention. As the threat landscape continues to evolve, budgets are not growing at scale. The 2017–2018 survey results showed "a drop in the number of businesses where budgets are rising from 70% to 64%, and an increase in businesses where budgets are falling from 7% up to 12% (the same level as 2015)."
Additionally, the lack of highly skilled candidates continues to be a concern, with 18% of respondents identifying a deficit in resources, 18% reporting a shortage of skills and 14% reporting insufficient experience as key factors in the skills and people shortage.
Part of the problem with the skills shortage is the impact and disruption caused by emerging technologies. Of the emerging technologies that respondents said were "very disruptive," the top two were the internet of things (66%) and artificial intelligence and machine learning technologies (49%).
“We have seen AI and machine learning used in defensive security systems for some time, and this is now starting to become part of a wider automation approach,” said Wilson. “But like the IoT, AI can also be exploited by cybercriminals, so we need to have the people and technologies to respond and mitigate these emerging risks."