Why is it so hard for us to pay attention to cybersecurity?

More firms say they prioritise cybersecurity, but a significant number are still putting themselves at risk by not doing enough.
Written by Danny Palmer, Senior Writer

With a daily deluge of cyberattacks, hacking incidents, data breaches and malware campaigns, it appears that – finally – many organisations now understand that cyber security is an important issue that needs to be taken seriously from the board down.

Figures in the 2019 Cyber Security Breaches Survey from the UK government suggest that around three-quarters of businesses and charities believe that cybersecurity is a high priority for their organisation's senior management. For businesses, the figure is 78 percent, with charities slightly behind on 75 percent.

The number of organisations that view cyber security as a very high priority stands at four in ten businesses, while a third of charities also categorise cybersecurity as a high priority for directors, trustees and senior management. All of those figures are up compared with last year, suggesting that cybersecurity is increasingly viewed as important as any other part of the organisation.

But still: if three quarters of organisations view cybersecurity as a high priority, then around a quarter don't rate it as important. Indeed, 20 percent of businesses say that cybersecurity is seen as a fairly low or very low priority, with 22 percent of charities saying the same.

It's the food and hospitality sectors that are most likely to not promote cybersecurity as a high priority. While it might be tempting for some organisations – especially those outside of data-intensive sectors like finance, technology and education – to think that they can avoid investment in this area because they won't be of interest to attackers, it's more likely that the opposite is true.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

Hackers looking for a quick buck will go for the low-hanging fruit – and if that can be achieved by locking down a small business with ransomware, or breaching their network to steal credit card information and other personal data, that's what they'll do.

In other cases, a poor approach to security can lead your organisation to falling victim to a cyberattack even when it wasn't even the intended target, as demonstrated by the WannaCry ransomware incident of May 2017.

But often – especially when it comes to smaller businesses – cybersecurity is viewed as an expense, rather than an essential business cost.

"We're always hanging on by our finger tips in financial terms, and I think that really prevents us investing in the time it takes to address cybersecurity in a strong way," says one charity quoted in the report.

It's an understandable approach in a way – investing in cybersecurity, from software to training, costs money. If money is tight, these are the sorts of things that it might become easy to ignore.

An organisation that hasn't (knowingly) found itself on the wrong end of a cyberattack might fall into the trap of thinking that security isn't important.

'Knowingly' is the key word here: organisations might never know if someone clicked a phishing link that provides attackers with access to the network, or if hackers dropped trojan malware into their organisation.

So while it's encouraging to see that the majority of organisations are taking cybersecurity more seriously than ever before, there's still a long way to go.

And for those who aren't prioritising it, it's unfortunately likely to be only a matter of time before they find they've been the victim of a cyberattack or a data breach, and prevention maybe well be much cheaper than cure.


Editorial standards