Well, here is a glimmer of good news in the world of cybersecurity.
According to a new study from Guidance Software, organizations are doing more to prepare for the inevitable data breaches and are doing more to manage cybersecurity challenges.
Cyberattacks are on the rise and organizations are falling victim to them. We know that. The Guidance study found that nearly two-thirds of companies suffered a malware-related data breach and more than half dealt with a phishing-related breach. At the same time, 54 percent of organizations said they feel prepared to handle a breach if one happens in the coming year, and an increasing number of organizations said they are doing more to build a formal security and incident management team (although that number is still very small, as just a quarter of organizations stated this, up from 12 percent from the year before). As Patrick Dennis, president and CEO of Guidance Software, said in a formal statement:
Enterprises are beginning to realize that compromise is inevitable, so they need to ensure that they have a complete strategy that includes costs for prevention and deep detection and response tools. In other words, a growing number of enterprises recognize they live in a world of continuous compromise and no longer have to fear the breach.
That’s a good thing, because, as Ryan Wilk, vice president, Customer Success at NuData Security, told me in an email comment after the Petya ransomware attack, cybercriminals feel emboldened, making it more important than ever to take steps to recognize and address the pervasive malware problem. He added:
There is a definite need for a multi-layered approach that includes employee education about unusual links, what phishing emails look like, and the concern for social engineering.
Here’s the bad news for cybersecurity. Organizations are failing to properly educate their employees on even the most basic of security education – how to spot phishing email. A Wombat Security Technologies study found that 30 percent of workers don’t even know what a phishing email is and two-thirds are unfamiliar with ransomware. Wombat Vice President of Marketing Amy Baker was quoted by eSecurity Planet:
We often find that those of us who work in cybersecurity overestimate the knowledge the general public has on cybersecurity risks and basic secure behaviors. This could be giving security professionals false confidence and may be the reason why just fewer than half of organizations have a security awareness training program for their employees.
One study showed that organizations recognize the cybersecurity problem and are taking action. Unfortunately, organizations overestimate how security-savvy their employees are. Cybersecurity isn’t done in a vacuum; everyone must be on board for it to be effective. I hope the management of security challenges includes more security education and training.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba