Most businesses unprepared for cyberattack, study finds

Most businesses unprepared for cyberattack, study finds

Summary: New research suggests that 83 percent of businesses worldwide are still unprepared to cope with online security incidents.

TOPICS: Security
credit cnet
Credit: CNET

A new survey suggests that the majority of businesses across the globe are unprepared to deal with cyberattacks in the future.

Research conducted by the Economist Intelligence Unit and Arbor Networks says that while cyberattacks are on the rise, corporations are still woefully unprepared in dealing with the prevalent threat.

If hackers manage to break in to a corporate system, whether through the primary network or through a third party with access to systems, then this can leave client information at risk -- including finances, addresses and contact details.

Once a breach occurs, not only can this cost a firm a fortune to fix, but a company's reputation is likely to be damaged -- which in turn can lower future profit margins if consumer trust cannot be restored. As an example, U.S. retailer Target's recent security breach resulted in the theft of at least 40 million customer records containing credit and debit card data, as well as approximately 70 million accounts with information including home addresses and mobile phone numbers.

These kinds of cyberattacks, especially in high-profile cases, are not easy to recover from. Despite this, the business intelligence provider and security firms' report, "Cyber incident response: Are business leaders ready?" says that many companies are still not getting the message -- that skilled employees and the investment of time and money are necessary to keep networks safe.

After surveying 360 senior business leaders in companies across the U.S., Europe and Asia-Pacific, the companies found that while 77 percent of firms have suffered a security breach in the past two years, over a third of firms -- 38 percent -- still have no incident response plan in place should a cyberattack occur.

A mere 17 percent of businesses worldwide claim to be "fully prepared" for an online security incident.

Many respondents said that IT departments were relied upon to cope with the problem of cyber threats, but firms that have suffered a breach within the last two years were twice as likely to have hired third-party IT experts or teams to better understand the risks that networks face.

Whole 41 percent of business leaders feel a better understanding of potential threats would help them be better prepared, in order to save face, only a third of companies share data concerning incidents with others to spread best practices and exchange information -- and 57 percent do not voluntarily report incidents if not legally required to do so.

Arbor Networks President Matthew Moynahan commented:

"As these findings show, when it comes to cyber-attacks, we live in a “when” not “if” world. In the wake of recent high profile targeted attacks in the retail sector, a company’s ability to quickly identify and classify and incident, and execute a response plan, is critical to not only protecting corporate assets and customer data, but the brand, reputation and bottom line of the company."

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Not surprised

    The survey results do not surprise me. IT security is an area that is not well understood by non-specialists even in IT. There are set of best practices but one of the problems is most people treat IT security as a static problem not a dynamic problem. Static thinking is to install sufficient security once and not reevaluate regularly what changes must be made. The situation is dynamic, attack vectors are changing and evolving, as the black hats change to adapt to new defenses. A few years ago Java exploits were rare but now they one of the major attack vectors. Spearphishing is more common now. And who knows what the NSA has been doing.
  • People seem to have a blind spot wrt learning from the mistakes of others

    People that are capable of learning from their own mistakes are more the norm.
    Rabid Howler Monkey
  • There are no good guidelines and the bad guys are getting more skilled

    If you are an individual, small business, or even big business, there is little in the way of any definitive guidelines aside from just being careful and keeping your AV updated. The "guidelines" out there are either eye-rolling cliches, totally naive, or actually just sales pitches in disguise. And even if you do find someone very tech and cybersecurity savvy to help you set up what would be considered a good system to deal with any sort of cyberattack, chances are that it would only help defend against automated or lesser skilled attacks. If a top-tier hacker or hacker group has you as a target, there is literally almost nothing conventional or practical these days to stop that kind of attack.

    Recently Businessweek in a breathless supposed expose claimed that Target ignored warnings from their expensive FireEye malware detection system. It turns out that the FireEye system generated too many inclusive and generic warnings to be that useful, which FireEye attempted to fix earlier by buying Mandiant, a supposed cyber forensics firm (I'm rolling my eyes as I type that) that has tech that can help FireEye produce better warnings. The cost of that purchase was about $1 billion, seriously, but that doesn't help Target at all. But that does illustrate that even if you have millions to spend on supposed state of the art cybersecurity software and technology, and hire team of security experts that include former government spooks, there will still be potential gotchas that cybercriminals will no doubt eventually detect and exploit if it's worth their whiles. Actually in Target's case, you actually have an organization with a highly ranked *forensics lab* and it still wasn't enough to keep the bad guys out: