Enterprise Strategy Group recently released findings of a research survey of 400 North American cybersecurity and IT professionals working in small companies (i.e., 50 to 499 employees). Most of these firms tend to have a small staff responsible for cybersecurity and IT, reporting to business management rather than CIOs or CISOs.
The research results found the cybersecurity situation far from satisfactory in these copanies.
- 2/3rd of the organisations surveyed experienced at least one cybersecurity incident (i.e., system compromise, malware incident, DDoS, targeted phishing attack, data breach, etc.) over the past two years.
- Nearly half (46%) of survey respondents say that security incidents resulted in lost productivity, 37% say disruption of business applications or IT system availability, and 37% say disruption of a business process or processes (note: multiple responses were accepted).
ESG also asked survey respondents to identify the issues that represented the biggest contributors to these security incidents. The data reveals that:
35% believe the biggest contributor to security incidents is human error. This results in things like misconfigurations, ad-hoc processes, and haphazard controls.
28% believe the biggest contributor to security incidents is a general lack of understanding about cyber risk. This is a big one as too many small organisations believe they can’t possibly be a target so they under invest or ignore basic security preparation and hygiene.
27% believe the biggest contributor to security incidents is new IT initiatives like cloud and mobile computing or SaaS adoption that have been implemented without the proper security controls. This could be the result of a lack of knowledge or perhaps business people signed onto SaaS without alerting the security/IT team. Either way, there is an absence of thorough oversight around IT and cybersecurity policies.
24% believe the biggest contributor to security incidents is a lack of adequate cybersecurity training for non-technical employees. Small businesses don’t believe they are targets so they don’t invest in cybersecurity awareness training. That’s a real problem for these organisations and everyone who does business with them.
20% say the biggest contributor to security incidents is that those tasked with cybersecurity can’t keep up with their workload. When it comes to cybersecurity, many small businesses are understaffed and lacking in advanced skills. These firms should seek out help from managed security service providers (MSSPs) as soon as possible.
Image courtesy: www.brooksonone.co.uk