This finding is even more surprising given that our customer base is naturally more knowledgeable about information security than the average organization. Our results represent the most optimistic assessment of organizations’ cyber resilience, so the chances are things are even worse in the wider world.
Anti-malware technology isn’t the only area where organizations are neglecting essential cybersecurity measures. The report also found that:
- 43% of organizations don’t have a formal information security management program.
An information security management plan provides a comprehensive assessment of the way an organization addresses data protection risks. It ensures that preventative measures are appropriate to the scale of the risk and that every necessary precaution is being taken.
Organizations that lack a formal plan will be tackling security measures piecemeal, if at all.
- 33% of organizations don’t have documents that state how they plan to protect their physical and information assets.
Without documented plans, it’s impossible to track whether they work and what adjustments are necessary. More to the point, it’s possible that the organization has no plans in place at all, exposing them to myriad threats.
- 30% haven’t implemented identity and access controls.
Sensitive information should only be available to those who need it to perform their job, otherwise, you run the risk of someone in the organization using it for malicious purposes.
In some cases, an unauthorized person simply viewing the information is a serious privacy breach. You wouldn’t want everyone at an organization being able to look at your medical information or political affiliations, for example. That’s why it’s essential to implement controls that ensure that only approved employees can access certain information.
Where do these figures come from?
The report has its origins in our Cyber Resilience Framework, which we developed last year to help organizations improve their ability to prevent security incidents and respond when disaster strikes.
Alan Calder, the founder and executive chairman of IT Governance, said: “Attackers use cheap, freely available tools that are developed as soon as a new vulnerability is identified, producing ever more complex threats, so it is evident that, in the current landscape, total cybersecurity is unachievable.
“An effective cyber resilience strategy is, therefore, the answer, helping organizations prevent, prepare for and respond to cyberattacks, and ensure they are not only managing their risks but also minimizing the business impact.”
As part of the framework, we offered a self-assessment questionnaire, which helped organizations see how their existing measures compared to the framework and how much work was necessary to achieve cyber resilience.
We collated the results of the self-assessment to create this report, which provides a broader insight into how organizations are addressing cybersecurity risks and which threats are most commonly overlooked.