A new survey from Varonis has revealed that almost half of IT pros expect their organization to suffer a major, disruptive attack in the next 12 months – though the vast majority are confident in their cybersecurity stance and believe their company is in a good defensive position.
The firm quizzed 500 IT decision makers in the UK, Germany, France and US to gauge security practices and expectations following the widely-publicized Equifax and WannaCry breaches earlier this year.
Whilst, on the surface, the findings make for positive reading with regards to how well companies have reacted in the wake of both attacks, Varonis is quick to point out some glaring disconnects between security expectations and reality.
For example, whilst 85% of respondents said their business had either changed or planned to change security policies and procedures in response to incidents such as WannaCry, in actuality four in 10 organizations are still failing to fully restrict access to sensitive information on a need-to-know basis.
“It is encouraging that IT professionals are understanding that it’s a matter of when, not if, their organization will be hit with a damaging cyber-attack,” said John Carlin, former assistant attorney general for the U.S. Department of Justice’s National Security Division and currently chair of Morrison & Foerster’s global risk & crisis management practice. “However, their level of confidence when it comes to security is inconsistent with what we see in practice. The reality is that businesses are consistently failing to restrict access to sensitive information and are regularly experiencing issues such as data loss, data theft and extortion in the form of ransomware.”
Looking ahead to 2018, data theft and data loss were cited as top concerns for organizations, unsurprising considering that 25% of respondents said their company had suffered ransomware with 26% reporting the loss or theft of company data in the past two years.
“Attackers are upping their game, using more sophisticated, blended attacks like WannaCry and NotPetya that make use of multiple attack vectors,” said Varonis CMO David Gibson. “At the same time, valuable data remains vulnerable to attacks that require little to no sophistication, like disgruntled employees snooping through overly accessible folders. While it’s heartening that major security incidents are inspiring preparedness, if the past year is any indication, it is unlikely the actual security of these organizations aligns with perception.”