A recent report from Gartner has stated that cybercrime is now costing the global economy $5.2 trillion — who said crime doesn’t pay?
Despite this, a new study from Outpost24 — who specialise in managing cyber security exposure — has revealed that almost one in ten (9%) of organisations say their IT security budget is actually falling year over year.
The study, which was carried out in March 2019 at the RSA Conference in San Francisco, also revealed that 26% of organisations said their IT security budget is staying the same year-on-year.
This is somewhat alarming given that 62% of the respondents stated that they do not know or do not believe that all their organisation’s most critical digital assets are comprehensively secured — whose are really?
When survey respondents were asked what makes their organisation least prepared for cyber attacks, 31% said it was down to not having enough time to keep on top of threats targeting their organisation, while 21% said it was not having the in-house knowledge and expertise to remediate and triage vulnerabilities found.
Interestingly, 13% felt they did not have enough c-level buy-in to support security, while 26% said they didn’t believe their c-level executives and board members had a good enough understanding of the security threats targeting their organisation.
“The findings from our study highlight that there is a wide gap between security teams and budget holders which is putting organisations at risk. With the average cost of data breaches exceeding $3.8 million, cyber security is very much a c-level and board member issue. Board members and c-level executives should have a comprehensive understanding of their organisation’s security posture and the attacks targeting them, they should then take this data and allocate budgets accordingly, before their business is disrupted or reputation is damaged,” said Bob Egner, VP of Outpost24.
What sectors are investing the most and least in cyber security?
The frequency of security assessments
Survey respondents were also asked about the frequency of security assessments on their network, cloud infrastructure, their end points, web applications, data and their users.
The findings revealed that 7% never run assessments on their web applications, users, end points or data, while 13% said they never run assessments on their cloud infrastructure.
The good news is that a majority of respondents said they carry out continuous monitoring across their technology stack. However, these findings contrast the 62% who said they do not know or do not believe that all their organisation’s most critical digital assets are comprehensively secured.
The respondents that claim to carry out continuous security assessments, include:
• 33% continuously carry out security assessments on their network;
• 29% continuously carry out security assessments on their cloud infrastructure;
• 36% continuously carry out security assessments on their end points;
• 34% continuously carry out security assessments on their web applications;
• 31% continuously carry out security assessments on their data; and
• 31% continuously carry out security assessments on their users.
“While it is positive to see a lot of organisations are carrying out continuous security assessments, we would ideally like these numbers to be a lot higher. If organisations are not monitoring their security posture, then the door is left open to malware and attackers that could be avoided. It is also interesting to see that so many organisations are struggling to carry out remediation and triage of security vulnerabilities. If an organisation does not have the in-house capabilities to carry out these tasks, they should look to outsource it to a third-party who can offer expertise in the area and ensure all vulnerabilities are comprehensively mitigated before they are exploited maliciously,” continued Egner.