How do you think your company fares in cybersecurity readiness?
This question came to my mind today after reading two articles. The first was a Tech Target article that discussed what every company should know about cybersecurity readiness. One of the points in this piece covered identity management:
This is made up of various plans, policies, procedures and technology aimed at providing appropriate access to information resources and an understanding of how those resources are used and by whom.
Identity management includes areas such as authentication, authorization and access control. And that leads to the second article I read. eSecurity Planet reported on a recent Ponemon Institute and Varonis Systems study that found that more than 60 percent of end users are accessing data that they shouldn’t be, but at the same time, less than a third of IT departments are ensuring that only authorized people have access on a need-to-know basis.
It appears that businesses are struggling with cybersecurity readiness, which Peter Sullivan described in the Tech Target piece as:
the state of being able to detect and effectively respond to computer security breaches and intrusions, malware attacks, phishing attacks, theft of data and intellectual property from both outside and inside the network.
This is a particular problem in certain industries, like health care. According to a Healthcare IT News article, health care organizations spend less than 6 percent of the IT budget on security (the financial industry spends twice that). This is an industry that has been hit hard with data breaches and other security threats, in particular ransomware.
What is impeding cybersecurity readiness? One idea is the increase in the number of devices now connecting to the corporate network. In a Security Magazine article, Seth Robinson, senior director, technology analysis, CompTIA, stated:
Far more than half of all companies have adopted cloud computing and mobile devices. This suggests that many companies are embracing new technology solutions without taking the corresponding actions necessary to build a proper defense. This poses huge challenges for the IT security professionals tasked with security responsibilities.
So what can companies do to improve their cybersecurity readiness? Sullivan said it begins with a plan that pinpoints cybersecurity concerns and the end goals in addressing those concerns. What steps need to be taken in order to prevent potential threats?
It’s also a matter of understanding what today’s threats are. We know threats are always evolving, but security systems are too often focused on yesterday, rather than the now.
And finally (for the sake of this blog, but certainly not overall cybersecurity readiness), employees need to be equipped with better training and awareness skills. It will take some time to overcome the cybersecurity professionals gap, but there is no reason not to keep employees in the loop about what they can do (and shouldn’t do) to keep the network and data secure.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.