Corporates large and small are “naïve” about their cybersecurity risks, according to a new report.
Researchers at cybersecurity analytics company RedSeal released a survey this month that explores why businesses aren't adequately approaching their security strategies, and it comes in the context of new data from IBM Security that finds U.S. firms aren't heeding advice from the Federal Bureau of Investigation about how to deal with an attack.
“Cyber naivete” is how RedSeal described many of the survey respondents of its report, conducted with data company 72Point. According to researchers, 80 percent of respondents fell into that category and are considered “ripe” targets for cyberattacks. That's despite 80 percent of CEOs expressing confidence in existing cybersecurity strategies.
That confidence is misdirected, with half of organizations prioritizing an outdated method to protect their businesses. Only 24 percent said they are proactively working to handle hackers that have already successfully attacked their companies.
“CEOs' confidence reflects a disconnect with the reality of increased cyberattacks and the massive financial losses associated with them,” the report stated, as reported by The Wall Street Journal. “In addition, their confidence is based on a strategy determined to be insufficient and out of date more than two years ago.”
In a data roundup by the publication of the latest analysis of corporate cybersecurity, researchers identified where a security breach is most likely to occur. Data security company Imperva, reports said, found that phishing attacks are more likely to be successful when a person opens an email at work (with 35 percent of phishing emails sent between 9 a.m. and noon).
But there are other areas breaches can occur: IT security firm Gemalto found that 68 percent of IT professionals said they would be OK with having employees use their own social media credentials to access company systems. Mismanaged paperwork can also be an issue, with 45 percent of ethics and compliance professionals surveyed by the Society for Corporate Compliance and Ethics and by the Health Care Compliance Association noting that lost paper files were to blame for their data breaches. Meanwhile, 20 percent cited a lost device for the cause of a breach. And TD Bank analysis found that more than a third of treasury and finance executives cite the risk of payments fraud and cybersecurity as their top challenge for the year ahead.
All of this data has flowed in as IBM Security reports another reason to be concerned about U.S. companies' cybersecurity measures.
According to the research, 70 percent of companies say they pay up when targeted by a ransomware attack — an attack in which hackers take corporate data hostage unless the victim pays a ransom — despite the FBI advising organizations not to do so, reports by CyberScoop said last week.
The majority of these companies said they paid more than $10,000 to hackers that locked corporate systems and held data hostage — a fifth said they paid more than $40,000. Further, IBM Security found that many of these targets never report the hack or details of the breach to law enforcement.
Cyberattacks are complex to prevent and challenging to take care of once they've occurred — especially for smaller businesses. But in today's climate, CyberScoop said, businesses cannot afford to let their cybersecurity strategies fall by the wayside — as research suggests they do.
“Education about phishing and hacking is effective, though it often feels out of the question for small businesses with less time and money to spare than their larger counterparts,” the outlet wrote. “But phishing remains the most used attack vector for hackers of all stripes … so it ought to be high on the priority list of any organization or individual concerned with security — and, after the year we've had, we should probably all be concerned.”