With organizations the world over still reeling from the effects of this month’s WannaCry ransomware attack, and cyber security experts already warning of more potent threats to come, technology and business leaders are scrambling to make sense of an increasingly treacherous digital landscape. In the wake of the WannaCry crisis, DiscoverOrg surveyed 258 decision makers, across assorted countries and industries, to get a holistic picture of information security’s current state. While our findings indicate a general resignation to the reality of cyber-attacks going forward, respondents are largely optimistic about their ability to contain future threats, though philosophies and methodologies differ.
Here are some key takeaways from DiscoverOrg’s cyber security survey.
Nobody Is Safe
80% of respondents report their organizations have been affected by at least one variation of cyber-attack – ransomware, phishing, distributed denial of service (DDoS), or other types of malware – at some point in time. With frequency and severity escalating in the last two years, such crimes are approaching epidemic proportions. Phishing scams are the most reported variety of attack, having affected half of all respondents. Ransomware proved only slightly less common, having touched 40%. Both gambits exploit human error, primarily infiltrating corporate systems when employees click links or download contaminated files received via email. So, while updated software and security patches can certainly help stave off malware, complete security cannot be achieved through technology alone. Employee training and clearly defined best practices are a core component of any comprehensive security strategy, though opinions are split on precisely how resources should be allocated.
Man vs. Machine
While the majority of decision makers surveyed foresee their organizations responding to malware threats with a multi-pronged approach, there is a sharp split when it comes to the prioritization. With updates to existing software being relatively easy and inexpensive, it is no surprise that 73% expect their organization to patch and refine current security policies. Perhaps more tellingly, 53% foresee their organizations investing in employee training in response to recent incidents, compared to only 42% predicting spending on additional cyber security safeguards. The take away is clear: many businesses see their people as more vulnerable than their technologies.
A mid-level IT decision maker from a county government agency in the United States tells DiscoverOrg in a follow-up interview that her organization has fallen victim to multiple cyber-attacks resulting from employees clicking nefarious links. As a result, workers are no longer allowed to access internal government networks via personal devices, and security training for employees enterprise-wide has become an increased priority – and a trial and error process. The county no longer includes sample links in emails warning staff about current scams, because employees were regularly clicking them. A mid-level source at a UK restaurant group, concurs. He tells DiscoverOrg his company now restricts access to personal email accounts on the corporate network, because the filters the company installed to weed out questionable emails on its own system don’t work on outside email services.
Organizations Trust Their Security
Despite recent malware attacks exposing weaknesses in the general cyber security landscape, those surveyed remain overwhelmingly upbeat about the preparedness of their specific organizations. 92% of respondents report feeling either extremely or somewhat confident in their organizations’ understanding of how to keep their systems insulated from external threats. Even when questioned on specific components of their security environment, respondents remained assured, with 85% feeling extremely or somewhat confident in their enterprise’s ability to ensure uniformity of patch installations.
In the immediate aftermath of WannaCry, the certitude is evidenced by largely measured responses, with organization’s seemingly resisting the temptation to overreact. Almost 16% of surveyed decision makers report any change in company policy in direct response to recent attacks. Of the respondents citing specific policy changes, most reference the tightening of personal device restrictions, more frequent patching, and other relatively modest amendments; no drastic policy shifts were reported.
Despite the overarching commitment to existing security policies, there is always room for refinement – particularly in the face of such persistent and mutating cyber threats. 86% of respondents indicate that organizational safeguards could be improved. While the decision maker at a UK restaurant group with whom we spoke believes his organization’s filters and firewalls are sufficient to stymy email intrusions, he worries about more invasive infiltrations through internal sources. “There’s always malicious intent,” he mused during his follow-up interview with DiscoverOrg. “Someone could bring it on a thumb drive.”
DiscoverOrg’s cyber security survey reflects a pragmatic realism among IT decision makers: cyber -attacks are here to stay. Ransomware, phishing scams and DDoS are simply a symptom of the inherent vulnerabilities of an increasingly digital business culture. The good news is, industry leaders generally feel that such attacks can be contained, and the damage mitigated with proper preparation, ongoing vigilance, and thorough contingency plans. Practices as simple as regularly updating software and applying security patches can greatly reduce an organization’s susceptibility, while enterprise-wide training in cyber security best practices can greatly reduce the introduction of threats through human error. When the next malware onslaught hits, the difference between an organization shelling out hundreds of thousands in digital currency to retrieve ransomed data, and one with the freedom to tell ransomers where to stick their bitcoin demands will likely be the preparatory steps taken in the coming weeks.