Even so, more than half (59%) have experienced a security incident in the last year.
“Cyber attacks are now so sophisticated and commonplace that it is impossible to be fully protected,” said James Alexander, lead partner for TMT security at Deloitte, in discussing the research. “Companies need to act as if a breach is inevitable, and have a documented response plan in place so they can react when it does happen. Unfortunately, not enough companies are doing this, so we think companies are being overconfident in their resilience.”
It doesn’t help that the consequences of suffering a data breach are higher than ever before, with fines and brand damage escalating almost exponentially. “Businesses therefore need to be more forward thinking, taking steps upfront which will not only ensure compliance, but will also guarantee that business critical information will be safe from internal and external threats,” said Matt Middleton-Leal, regional director for the UK & Ireland at Cyber-Ark, in an e-mailed statement to Infosecurity. “It's time for the IT department to move away from the daily grind of firefighting, and focus how to better protect the enterprise from tomorrow's threats."
That’s not to say companies don’t recognize that threats exist. Companies rated mistakes by their employees as a top threat, with 70% highlighting a lack of security awareness as a vulnerability. As ever, however, the result comes with a whiff of hypocrisy: Less than half of companies (48%) said that they offer even general security-related training.
“Companies must also embed a culture of cyber security in their staff,” said Alexander. “This is easier said than done, but each employee holds the keys to the castle and must understand that responsibility. Spreading a secure culture should also extend to the businesses that companies work with and companies need to collaborate to ensure strength across organizational boundaries.”
Similarly, only 52% of companies surveyed have a bring your own device (BYOD) policy in place, but three quarters (74%) of respondents considered the increased use of mobile devices as a vulnerability.
“Today’s smartphones and tablets are powerful enough to handle most business activities and it is now common for employees to use their own devices for work,” Deloitte points out in the research. “This intermingling of access to business data and use of personal software applications in one device make mobile devices a prime target for hackers and provide new entry points for attack. This territory is just being charted.”
Another major concern for responding companies was the security of the businesses they work with, and 74% said they were concerned about partners being breached. In today’s hyper-connected world organizations are more reliant than ever on third parties, and sensitive information can often be found in the systems of businesses that support the supply chain and other business operations.
With so much focus and concern on a variety of threats, wherefore the lack of preparedness? A familiar culprit rose to the top of the heap: about half (49%) of companies said that a lack of budget was making it hard to improve security.
Despite the “needs improvement” grade among many businesses, 2013 could bring change. Having a security strategy and roadmap topped the list of priorities for companies.
"With 70% of respondents stating that lack of employee awareness is a major issue when it comes to security, concerns are automatically raised around the safeguarding of privileged accounts – a proven sweet spot for cyber-attackers – as well as the implementation of policies such as BYOD and the use of personal software,” Middleton-Leal said. “Today's organizations need to work on the premise that the bad guys are already through the front door and as such, employees, particularly those who have access to privileged accounts, must receive regular and appropriate training to build awareness of the security risks surrounding technology.”