IT’s worried about cyberattacks: Execs don’t understand them

IT pros are generally a confident bunch. But a new survey shows even they have serious doubts as to whether they’re able to handle the latest breed of cyberattacks – and even worse, they’re not even sure they can show their bosses why that’s a big deal. 

Websense and the Ponemon Institute have surveyed 4,881 IT pros worldwide on the state of threat protection in their companies. The results aren’t encouraging.


On one of the most basic parts of IT’s job – protecting confidential data – respondents were despondent. When asked if they were able to stop cybercriminals from stealing corporate info:

  • 33% of respondents strongly disagreed
  • 18% disagreed, and
  • 22% agreed.

Only 12% were very confident in their ability to thwart hackers.

That’s not false humility, either. Many respondents know of what they speak. When asked if they had experienced at least one substantial cyberattack in the past year in which enterprise networks or systems had been infiltrated, 44% said that they had and 7% were unsure.

The top doesn’t know

Well, what are you waiting for? Take this information and run to the board to show them the problem.

That might not get you too far, according to the survey. When asked to rate non-IT executives’ knowledge of cybersecurity, only 5% said their bosses had “substantial” knowledge. The rest rated their bosses’ security understanding as:

  • good (16%)
  • some (34%)
  • poor (35%), and
  • none (11%).

Even security professionals weren’t too confident. Fifty-three percent said they didn’t have a good understanding of the threat landscape facing their companies.

Is the darkness winning?

There’s no shame in companies not having a full knowledge of all the types of attacks that can come in. The number of incoming threats and attacks is almost too big for anyone to wrap their heads around.

The recent Verizon Data Breach Investigation Report tallied 63,437 incidents that compromised security in 2013. It also was able to confirm 1,367 data breaches. To have a handle on each vector that those attacks could come in from isn’t only challenging, it could be downright impossible.

But security awareness can make a huge difference. Getting your people – from end-users, to managers, to IT staff – to have a better awareness of security can help build resistance to attacks.

Establish a baseline

The first step to security awareness is to build a baseline that shows where you stand today. Collect information on:

  • attacks against your company
  • attacks thwarted by your defenses, and
  • the kinds of attacks that are common today or in your industry.

If you compile and share this information with executives, it will help build security awareness. Many mistakenly believe that because they haven’t personally felt the fallout of a cyberattack, there has never been an attempt. Wouldn’t it be nice if that was the case?

Be sure to emphasize what could result from an attack – especially the financial fallout.

Stay in front of the problem

Share information regularly with executives. If you can’t get face-time with them, an email briefing on threats will also work. If you can show that cyberattacks remain an issue – and that you’re keeping up with them, it makes the message stick in higher-ups’ minds.

Also important is to make sure your own people in IT know and understand security threats. Allowing time for your staff to research and summarize current threats to your company (or on a larger scale) then sharing that info can help keep everyone abreast of security developments.

Finally, make sure end-users are given regular security updates. When a threat that targets users becomes news, share it with your user base. Many of the most serious attacks can be prevented with just a little more communication between IT and end-users. This is especially true of phishing and mobile threats.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy