Does the size and investment capabilities of a business indicate better protection against cyberattack? New research indicates this may not be the case.
On Tuesday, RSA, the security division of EMC, released the Cybersecurity Poverty Index report, a global research project aimed at answering the question: "Why do security incidents occur?."
Poor or lax security, the human element, social engineering, security holes in networks and third-party products, a lack of investment in the right areas -- the answer to this question is varied and is certainly not clear-cut.
However, RSA believes the most critical component in answering this question is fundamental gaps in capability -- but this does not necessarily mean the bigger, the better.
RSA polled 400 security professionals in businesses across 61 countries. In order to assess the cybersecurity capabilities and "maturity" levels of companies involved in the research, RSA pitted their self-assessed capabilities against the NIST Cybersecurity Framework (CSF). CSF, developed in the US between industry players and the government, is a cybersecurity risk guide based on existing standards and practices.
The researchers found that almost 75 percent of respondents have "significant" exposure to cyberattack and only a quarter of businesses have a cybersecurity policy and base in place which can be considered mature or developed.
In total, only five percent consider themselves to have highly advanced capabilities to detect and defend against digital threats.
The strongest maturity levels reported are within the protection area -- which is becoming less important in today's landscape. It is a matter of when, not if, a modern-day business becomes the victim of a cyberattack -- and so the enterprise should respond by investing more heavily in detection and threat mitigation.
Unfortunately, this is where many businesses of every size fall short. According to the report, response and detection capabilities ranked last in maturity.
Almost two-thirds of respondents rated themselves as "inadequate" in every cybersecurity category -- identifying threats, protection, detection, response and recovery.
This is where things get interesting. You would be forgiven for assuming that the larger the company, the more money they potentially have to pump into protecting their networks. However, shareholders and the profit line often means that businesses will maintain the common standards of rival firms and their industry rather than go the extra mile -- and the current state of cybersecurity protection in business is simply not enough.
To name but a few, Target, Sony, JPMorgan and Staples have all been the victims of highly expensive cyberattacks in recent times -- a lesson other companies should take away before they become added to the list.
Enterprise players with over 10,000 employees are simply not prepared for today's threats. According to RSA, a worrying 83 percent of companies this size ranked below "developed" in overall cybersecurity maturity.
When a company becomes a victim of cybercriminals, the results can be costly -- not only in working out what happened and bringing in forensics teams, but also through the need to repair damage caused by the intrusion -- let alone the cost to reputation in the eyes of consumers. In total, two-thirds of respondents had cybersecurity incidents which impacted their businesses in the last year, but only 22 percent of these companies are considered mature in their security strategy.
"This indicates an inability of organizations to meaningfully improve maturity to reduce risk, and confirms the continued capability of adversaries to exploit gaps in conventional defense strategies," RSA says.
Being targeted also forces firms to rethink their cybersecurity strategies and risk management policies. Organizations which reported 40 or more security problems in last 12 months were 2.5 times more likely to have developed and advanced overall capabilities than businesses which reported less than 10 incidents in the past year.
However, this does not mean improvement happens across the board -- as 63 percent of respondents which admitted to coping with 40 or more incidents still reported an inadequate level of maturity.
When it comes to location, companies in the Asia-Pacific region reported the most mature security strategies, while only 24 percent in the Americas and 26 percent in the EMEA regions reported developed and advanced strategies.
The least developed capabilities logged in the research were a company's ability to catalog, assess, and mitigate risk. In total, 45 percent of those surveyed described their abilities in this area as "non-existent" or "ad-hoc," and only 21 percent believed they have mature ability levels in this domain. Generally, the ability to detect threats was also self-admittedly considered mature by those surveyed, with 35 percent of organizations describing their expertise in this area as non-existent or ad-hoc.
"RSA believes that the ability to detect and respond to cyberattacks before they result in damage or loss is the most important capability that organizations must develop and refine," RSA concludes.
"Awareness of the need to improve is often the catalyst for change, and the evidence provide by the inaugural index provides a powerful incentive for the majority of organizations to develop a focused plan for improvement."
Read on: In the world of security