New survey data shows lack of security support from C-level executives and diminishing security budgets
Despite a recent report from Gartner stating that cybercrime is now costing the global economy $5.2 trillion, a new study from Outpost24, an innovator in identifying and managing cyber security exposure, has revealed that almost one in ten (9 percent) organisations say their IT security budget is actually falling year over year.
The study, which was carried out in March 2019 at the RSA Conference in San Francisco, also revealed that 26 percent of organisations said their IT security budget is staying the say year over year, despite 62 percent stating that they do not know or do not believe that all their organisation’s most critical digital assets are comprehensively secured.
When survey respondents were asked what makes their organisation least prepared for cyberattacks, 31 percent said it was down to not having enough time to keep on top of threats targeting their organisation, while 21 percent said it was not having the inhouse knowledge and expertise to remediate and triage vulnerabilities found. Interestingly, 13 percent of respondents felt they did not have enough c-level buy-in to support security, while 26 percent said they didn’t believe their c-level executives and board members had a good enough understanding of the security threats targeting their organisation.
“The findings from our study highlight that there is a wide gap between security teams and budget holders which is putting organisations at risk. With the average cost of data breaches exceeding $3.8 million, cybersecurity is very much a c-level and board member issue. Board members and c-level executives should have a comprehensive understanding of their organisation’s security posture and the attacks targeting them, they should then take this data and allocate budgets accordingly, before their business is disrupted or reputation is damaged,” said Bob Egner, VP of Outpost24.
Survey respondents were also asked about the frequency of security assessments on their network, cloud infrastructure, their end points, web applications, data and their users. The findings revealed that seven percent never run assessments on their web applications, users, end points or data, while 13 percent said they never run assessments on their cloud infrastructure. The good news is that a majority of respondents said they carry out continuous monitoring across their technology stack, however, these findings contrast with the 62 percent of responses to the study that said they do not know or do not believe that all their organisation’s most critical digital assets are comprehensively secured.
The respondents that claim to carry out continuous security assessments, include:
- 33 percent continuously carry out security assessments on their network
- 29 percent continuously carry out security assessments on their cloud infrastructure
- 36 percent continuously carry out security assessments on their end points
- 34 percent continuously carry out security assessments on their web applications
- 31 percent continuously carry out security assessments on their data
- 31 percent continuously carry out security assessments on their users
“While it is positive to see a lot of organisations are carrying out continuous security assessments, we would ideally like these numbers to be a lot higher. If organisations are not monitoring their security posture, then the door is left open to malware and attackers that could be avoided. It is also interesting to see that so many organisations are struggling to carry out remediation and triage of security vulnerabilities. If an organisation does not have the in-house capabilities to carry out these tasks, they should look to outsource it to a third-party who can offer expertise in the area and ensure all vulnerabilities are comprehensively mitigated before they are exploited maliciously,” continued Egner.