IT decision makers’ cyber security confidence is likely misplaced, survey shows

A survey of IT decision makers has shown that cyber security confidence is high – but they are bracing for ‘major’ attacks.

The survey, commissioned by Varonis, polled 500 IT leaders in the USA, UK, France and Germany, across firms with 1,000 or more employees. 45 per cent said that they expect a disruptive new cyber incident in the next 12 months, but almost 90 per cent said that their organisation is ‘ready’ to face such threats.

Theft and loss of data were named as the biggest fears amongst IT leaders, with 26 per cent having experienced these in the last two years; and 25 per cent being hit by ransomware. The majority, 85 per cent, have changed their security policies and procedures in the wake of this year’s cyberattacks like WannaCry, or plan to do so.

Despite the general fears about data loss, the survey found that around four in 10 organisations are not taking the important steps to fully secure that data. For example, full restriction of sensitive information, on a ‘need-to-know’ basis, was only enforced in 66 per cent of US businesses, and 51 per cent of those in Europe. German firms were the biggest culprit, with only 38 per cent fully restricting access – and, unsurprisingly, it was companies in Germany that had been the most touched by ransomware over the last two years, with 34 per cent affected.

John Carlin – former Assistant Attorney General for the US Department of Justice’s National Security Division, and currently chair of Morrison & Foerster’s global risk & crisis management practice – said that the level of cyber security confidence “is inconsistent with what we see in practice.” He added, “The reality is that businesses are consistently failing to restrict access to sensitive information and are regularly experiencing issues such as data loss, data theft and extortion in the form of ransomware.”

David Gibson, CMO of Varonis, said, “While it’s heartening that major security incidents are inspiring preparedness, if the past year is any indication, it is unlikely the actual security of these organisations aligns with perception.”

Further reading