‘Security professionals expect the worst and claim they are prepared’

Varonis Systems, a provider of software solutions that protect data from insider threats and cyber attacks, today released findings from an independent survey exploring security practices and expectations in the wake of the massive Equifax breach.

The survey, which polled 500 IT decision makers in the UK, Germany, France and US, highlights an alarming disconnect between security expectations and reality.

The vast majority (89%) expressed confidence in their cyber security stance and feel that their organisation is in a good position to protect themselves from attack. Yet in the months after WannaCry, 4 in 10 organisations are not taking critical steps to lock down sensitive information, putting them at risk from data loss, data theft and the next ransomware attack.

>See also: Equifax: The 143 million customer question

Nearly half of respondents (45%) believed their organisation will face a major, disruptive attack in the next 12 months. And, as a result, 85% have changed or plan to change their security policies and procedures in the wake of widespread cyberattacks like WannaCry.

Looking ahead to 2018, data theft and data loss were cited as top concerns for organisations.

“It is encouraging that IT professionals are understanding that it’s a matter of when, not if, their organisation will be hit with a damaging cyberattack. However, their level of confidence when it comes to security is inconsistent with what we see in practice,” said John Carlin, former Assistant Attorney General for the U.S. Department of Justice’s National Security Division and currently chair of Morrison & Foerster’s global risk & crisis management practice.

“The reality is that businesses are consistently failing to restrict access to sensitive information and are regularly experiencing issues such as data loss, data theft and extortion in the form of ransomware.”

The survey also showed major differences on cyber security policies and tendencies by country. Only 66% of U.S. organisations and 51% of EU-based organisations surveyed fully restrict access to sensitive information on a “need-to-know” basis. Organisations in Germany are the least likely to restrict access (38%).

>See also: Fighting the cyber war in the digital age

A majority (67%) of respondents reported their organisations have cyber security insurance policies. They are least prevalent in the U.S. (62%) and most common in France (75%).

German organisations have been hit particularly hard by ransomware, with 34% affected in the past 2 years.

“Attackers are upping their game, using more sophisticated, blended attacks like WannaCry and NotPetya that make use of multiple attack vectors,” said Varonis CMO David Gibson.

“At the same time, valuable data remains vulnerable to attacks that require little to no sophistication, like disgruntled employees snooping through overly accessible folders. While it’s heartening that major security incidents are inspiring preparedness, if the past year is any indication, it is unlikely the actual security of these organisations aligns with perception.”


The Women in IT Awards is the technology world’s most prominent and influential diversity program. On 22 March 2018, the event will come to the US for the first time, taking place in one of the world’s most prominent business cities: New York. Nominations are now open for the Women in IT USA Awards 2018. Click here to nominate

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics

Cyber Security