Cybersecurity report card: Why too many companies are graded 'could do better'

Lack of budget and the right skills are leaving businesses vulnerable to attack.
Written by Danny Palmer, Senior Writer

Video: 3 things you need to know about cybersecurity in an IoT and mobile world

The vast majority of organisations don't have a cybersecurity strategy, leaving them unable to protect against attacks due to a lack of both budget and skills.

Despite a year of high-profile cybersecurity incidents including the WannaCry ransomware outbreak, many organisations still lag behind when it comes to cybersecurity.

A new report, Cyber Readiness by insurance and underwriting firm Hiscox has found 73 percent of organisations have major shortcomings in their readiness to protect against cyber-attacks.

"As an end of term report, it might have the words 'can do better' scrawled on it in red ink," said Gareth Wharton, cyber CEO at Hiscox.

Part of the problem lies with a shortage of cybersecurity professionals, with organisations left trying their best to ensure their networks are safe, but often without the necessary staff required to do so.

"The cyber threat itself is set to grow in volume and severity, as criminal groups gain access to more sophisticated tools and become more reckless. The rapid growth of the 'internet of things' will amplify insecurities by adding millions of new devices with minimal built-in security," said Robert Hannigan, former director of GCHQ and an advisor to Hiscox.

"For those trying to protect against attack, the shortage of cyber skills will continue to be chronic," he added.

Free PDF download: Incident response policy

The report claims that a common problem across organisations is that many still view cybersecurity as a technology problem.

While the data by Hiscox suggests that those who spend more on cybersecurity are in a better position to fend off attacks -- organisations which spent twice as much as the $9.9m average IT budget were found to devote a higher percentage of those funds to security and were more resistant to attacks -- there's still an issue around ensuring that people and processes are up to scratch.

Organisations are "failing to support their investment in security technology with a formal strategy, sufficient resourcing and training, and sound processes", says the report.

Ultimately, it means that even if an organisation throws money at purchasing the latest in cybersecurity technology, it isn't going to make much of a difference if nobody is teaching staff the basics of how to operate securely, such as not giving away passwords or downloading attachments on unexpected emails.

The report was based on the responses of decision makers in 4,100 organisations across the UK, USA, Germany, the Netherlands, and Spain.


Editorial standards