It’s just over a year since the WannaCry ransomware attack targeted private business and public organizations around the world, with high-profile victims including FedEx, German rail company Deutsche Bahn, and the UK’s National Health Service. The seriousness and sheer volume of cybersecurity threats in the past year has shown no sign of abating; according to statistics from file-scanning service VirusTotal, they received an average of more than a million potential new threat files every day in March 2018, with the figure coming close to two million on some days.
IT security threats, and the methods used to deploy them, are undergoing constant evolution as cybercriminals seek innovative new ways to seize control, steal data, and wreak havoc upon organizations. At the same time, those organizations and their IT teams are constantly having to react and adapt to new types of cybersecurity threats, often at considerable expense as they continually strive to fend off attacks. But how well are enterprises really doing at keeping their businesses – and their customers – secure?
ISACA’s 2018 State of Cybersecurity report provides some good insight on this. Worryingly, in the light of Wannacry, NotPetya (a 2017 cybersecurity attack initially on more than 80 Ukrainian businesses, which later spread across Europe and to the U.S.) and other attacks, hacks and breaches, it turns out that only 20 percent of organizations have their IT security function reporting in to the main board or chief executive. This is down from 24 percent in the previous year – and it is concerning that in the face of such high-profile cyberattacks the highest levels of organizations aren’t taking the threat more seriously.
Another stat from the report points to the same conclusion: just 57 percent of participants thought that the company board was adequately supporting IT security initiatives, a stark reduction from 67 percent the previous year. Other figures from the survey suggest that companies are having trouble filling vacancies for skilled cybersecurity professionals, with respondents reporting that over 50 percent of candidates for such jobs were not qualified for the roles that they were applying for. In slightly more heartening news, while 36 percent of enterprises expect to see their cybersecurity budget stay the same or reduce this year, 65 percent are expecting a budget increase.
In an age where cybercrime is on the rise – and customers are understandably more cautious than ever about how businesses store and protect their personal data – it’s worrying that many enterprises still seem, on the face of it, not to be taking cybersecurity as seriously as they should. A lack of adequate protections, constantly reviewed and updated to counter evolving threats, is a gift to cybercriminals, who can range from malicious individuals to organized crime gangs and even state actors. It’s clear that many businesses should now be looking carefully at their cybersecurity investment – and reporting structure – if they want to avoid unpleasant consequences further down the line.