A recent Ponemon Institute study revealed what a lot of us have been saying for a long time. Despite spending millions of dollars, 79 percent of the IT and IT security staff reported that their ability to identify and stop threats are either non-existent, ad hoc or inconsistently applied throughout the enterprise.
The companies participating in this study said that they were on the receiving end of at least one cyber attack per month and spent about $3 million a year to deal with them.
Other results include:
- 59 percent said that protecting intellectual property is essential or very important to their company’s survival
- Respondents said that they averaged 32 material cyber attacks a year.
- 38 percent said that their security processes for monitoring the Internet and social media were not existent; another 23 percent said they were ad hoc and 18 percent said they were inconsistently applied.
- Over 60 percent of the security leaders – directors and above – said they did not have the tools they needed to monitor, analyze, understand and mitigate external threats.
What this report is saying is that the majority – in some cases three quarters – of the people assigned to protect company information and systems say that they do not have the ability to protect their companies. That is a scary concept.
Certain industries are probably exceptions to this – the big banks (but not the smaller banks) and the Defense Department, for example. This does not mean they don’t get breached. It means that they have the budget for tools and people to try and stop them from getting breached.
While an unlimited budget is nice, it is also not necessary. What is needed is for executive management – The C-Suite and the Board – to make protecting their companies a priority. And then to make operational changes to the way those companies protect information.
It has been reported that when the security team went to Home Depot’s management to ask for more resources, they were told that Home Depot was in the business of selling hammers and how did spending money on cyber security help that. My guess is if they could reconsider that decision now, they would probably give a different answer.
This risk is not going away. It will likely get worse before it gets better. Sorry to be the bearer of bad news.
Information for this post came from Security Magazine.