Most SMB’s don’t consider cyberattack a substantial risk to their business

Leave a reply

Ponemon Institute has released its Risk of an Uncertain Security Strategy study.  It surveyed over 2000 IT professionals overseeing the security role in their respective organizations.  The study identified 7 consequent risks of uncertainty in security strategy:

1. Cyber attacks go undetected
2. Data breach root causes are not determined
3. Intelligence to stop exploits is not actionable
4. Cybersecurity is not a priority
5. Weak business case for investing in cyber security
6. Mobility and BYOD security ambiguity
7. Financial impact of cyber crime is unknown

Most respondents believe that compliance efforts did not enhance security posture: [Do you agree that] “compliance standards do not lead to a stronger security posture?”

ponemoncompliancegraphic

Types of attacks that respondents reported are summarized as:

ponemontypesofattack

Notably, 31% of respondents said that no one person or role was in charge of establishing security priorities.  58% said that management does not see cybersecurity as a significant risk. Finally, the study also indicated that the further up one went in the organization’s hierarchy, the more distant they were from understanding the organization’s cyber risk and related strategy. While not surprising, this is discouraging.

I keep getting back to the idea of force protection that the military had to develop 30 years ago. In response to world events to include attacks on bases and personnel, the military realized that it needed to explicitly remove resources, funds, and capacity off of the operational (pointy) end and use them to protect and resource the rear if they were to be survivable and sustainable. Over time, I think the market will bear this out too for most SMB’s. That is, I believe that those businesses that have been successful over several years will tend to be the ones that have made some investment in cybersecurity and resilience. And of the businesses that disappear after a short time, a high correlation will be made with those that did not invest in resilience.

Even though these conclusions might be fairly obvious, it’s not going to be pretty to watch.

Leave a Reply

Your email address will not be published. Required fields are marked *