Report: Risk of an Uncertain Security Strategy

Report: Risk of an Uncertain Security Strategy

Summary: In spite of high-profile data breaches and the potential business impact of cyber attacks and data loss, small and midsize organizations are still not making cyber security a priority. Sophos and the Ponemon Institute recently released a report, Risk of an Uncertain Security Strategy, that highlights the need to make security a key priority.

TOPICS: Security

Sophos and the Ponemon Institute released a report, Risk of an Uncertain Security Strategy, that highlighted a number of security issues companies of all sizes face today. What's unfortunate is that quite often security is not a priority for midmarket companies. This means that they often don't have a single department that is responsible for security. They may not even know if they've suffered a security breach.

Sophos and the Ponemon Institute, surveyed more than 2,000 individuals with responsibility for managing the IT security function in their organizations. The majority of respondents have a very high or high level of involvement in the evaluation, selection and implementation of IT security products or services in their organizations. SMB organizations represented in this study employ from less than 100 to 5,000 individuals. After reading through the findings of many badly designed and implemented surveys, it was refreshing to read through a well designed, well implemented report.

Here are some of the top findings found in the report:

  • One-third of respondents admit they are not certain if a cyber attack has occurred in the past 12 months. Because of this lack of knowledge about the frequency and magnitude of such attacks, actionable intelligence appears to be deficient. To remedy this deficiency, respondents say their company will be investing in big data analytics and network traffic intelligence over the next three years.
  • Respondents in more senior positions have the most uncertainty about the threats to their organizations. This indicates that the more removed the individual is from dealing on a daily basis with security threats, the less informed he or she is about the seriousness of the situation and the need to make it a priority. Fifty-eight percent of respondents say management does not see the possibility of a cyber attack as a significant risk.
  • Respondents estimate that the cost of disruption to normal operations is much higher than the cost of damages or theft of IT assets and infrastructure. Unlike other Ponemon Institute studies where the theft of IP is the most expensive consequence of cyber crime,1 respondents do not seem to be able to determine the cost of lost or stolen information assets.
  • Mobile devices and BYOD are much more of a security concern than the use of cloud applications and IT infrastructure services. However, these concerns are not preventing extensive use and adoption of mobile devices, especially personal ones. To deal with this risk, respondents indicate that their organizations will be investing in technologies such as web application firewalls for mobile apps and endpoint management to reduce BYOD risks.
  • Respondents in specific industries have more confidence in their security awareness and strategy. Uncertainty seems to be very low in financial services, which can be attributed to the numerous data protection regulations. The technology sector is also more security aware which is probably due to the IT expertise that exists in these organizations.
  • CISOs and senior management are rarely involved in decisions regarding IT security priorities. While 32 percent say the CIO is responsible for setting priorities, 31 percent say no one function is responsible.

The findings of this study are both interesting and somewhat disturbing. I urge that you download the report, read it and then consider how your company is addressing the dangers of the Internet, BYOD, Cloud Computing and the like.

Topic: Security


Daniel Kusnetzky, a reformed software engineer and product manager, founded Kusnetzky Group LLC in 2006. He's literally written the book on virtualization and often comments on cloud computing, mobility and systems software. In his spare time, he's also the managing partner of Lux Sonus LLC, an investment firm.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Management Ostriches

    "Fifty-eight percent of respondents say management does not see the possibility of a cyber attack as a significant risk."

    That is scary because if management does not believe there is a risk resources will not be provided. One problem is many do not understand that there are several reasons to attack a site. If you handle credit cards at all you are a target even if the attackers do not target anything else on your site. Also, given the poor password practices by many, user log ins are always a target. The company itself may not be the real target which is a difficult concept for many to grasp.
    • All good pointes

      Linux_Lurker, those are all good points. This points out one of the findings that is quite disturbing. Security works best when it is built into a workload rather than being added on later.

      Dan K
  • Culture Starts with Management

    Nice summary of another interesting study by Ponemon. I'm convinced that the organizations that are most capable of protecting information are those that have truly developed a security-aware culture. That culture starts at the top, when senior level executives and managers walk the talk about protecting information. Our John Schroeter made a similar argument in his piece on making "Zero Information Loss" a keystone habit.
    Tom Pendergast