IT is in a precarious position: It has the knowledge to warn executives and users on the dangers of cyberattacks. But for whatever reason, these groups seem unable – or worse, unwilling – to get the message.
According to a recent Websense survey of 4,881 IT security practitioners, there are serious obstacles to IT’s message being heard.
For starters, the Exposing the Cybersecurity Cracks: A Global Perspective survey asked how often IT spoke with executives about cybersecurity. The results:
- the most common response was “never” (31%)
- annually (23%) and semi-annually (19%) came second and third, and
- 15% only spoke on security matters in an on-demand role.
Executives weren’t the only group that didn’t get valuable face-time with security pros. When asked if they provided cybersecurity training to users, more respondents answered no (48%) than yes (47%).
Pessimism in cybersecurity
With fewer than half of respondents providing security training, you might think they were confident in their current security plan’s ability to offer protection, but that isn’t the case, according to Websense.
Almost three-in-ten users (29%) said they’d like to see a complete overhaul of their security systems. Another 13% took a rather pessimistic view: They said they wouldn’t change their enterprise security system at all because no amount of changes could save them from a determined hacker.
But that misses the point to a certain degree. Determined hackers are far from the only threat companies face in securing data.
In fact, 76% of respondents said they personally knew of sensitive or confidential data stolen from insiders, including:
- intellectual property (63%)
- customer data (50%), and
- financial records (22%).
This doesn’t even account for another insider threat: Workers who unknowingly put information at risk (the very thing that training is designed to rectify and eliminate).
Help isn’t necessarily on the way
But it could be a moot point anyway. Many respondents indicated their companies weren’t in the mood to make many cybersecurity upgrades:
- 52% said their company doesn’t invest in skilled personnel or technologies for defense (10% weren’t sure), and
- 48% said their company wasn’t planning to make significant investments and/or adjustments to cybersecurity defenses in the coming year.
Getting the cybersecurity message out
Not everyone will be able to get their companies to do an about-face on cybersecurity. For some IT pros, the goal should be much smaller. Namely, they should focus on getting security a seat at the table.
Here are a few things you can do to help accomplish that:
- Share stats. Results from system scans and updates that would normally be used by IT alone d0n’t have to stay in your department. Sharing these stats with executives could help start a valuable conversation about security as they ask what the numbers mean – and how they could be improved.
- Have execs talk security. The next time you’re giving a security training session, ask other executives to pitch in with brief introductory statements. If they’re not the most security-minded individuals to begin with, this could urge them to think about the value training or security plans can have for the company.
- Ask about concerns. Whether they realize it or not, executives probably have some fairly serious concerns about cybersecurity. According to the survey, 67% of respondents said exfiltration of intellectual property including
source code or business secrets would prompt executives to invest more heavily in security while 53% said a data breach and 49% said extended system downtime would do the same. By asking what concerns executives the most, you can gear your message toward what the current defenses are and if they can be improved.