Nearly 20 percent of IT professionals in the UK have admitted in a survey that their organisations have ignored critical security incidents in the past because they didn't have the skill or time to fix it.
Even though the percentage of IT professionals in the UK (19 percent) is less than half of those in the United States (42 percent) whose organisations have let security incidents go unaddressed in the past due to personnel shortage or lack of training among cyber security employees, such lack of readiness could be disastrous to the reputation and financial viability of businesses.
The survey, carried out by Outpost24 at Infosecurity Europe in June, also revealed that IT professionals at organisations in the UK are quite aware of the greatest risk areas in their organisations IT infrastructure. An overwhelming majority of such professionals singled out mobile devices (37 percent) and IoT devices in their IT networks (35 percent) as their biggest cyber-security concerns, compared to just eight percent who thought that their cloud infrastructure and applications were the most vulnerable.
The number of IT professions who were concerned about the security of data assets databases and web applications was also in single digits, suggesting how important it is for organisations to regulate the use of mobile devices and to patch insecure IoT devices to alleviate the security concerns of their employees.
However, if organisations fail to respond effectively to emerging threats either due to lack of funds, shortage of cyber security workforce, or lack of skilled workforce, they will have no choice but to brace for the next big attack which could lead to disastrous consequences.
"Our survey results suggest that businesses are adding technology as a key element of their strategy but not preparing their security teams with the skills and resources to keep up. Hackers understand there are key areas of technology which organisations will often overlook in terms of cyber-security and they will target these weaknesses first," said Bob Egner, VP of products at Outpost24.
"A comprehensive security posture covers the full stack - network infrastructure, cloud environments, applications, mobile devices and even people," he added.
The lack of confidence that IT professionals have in the security of their IT networks also came out in the open after 77 percent of those interviewed by Outpost24 said they could hack into any organisation either using social engineering (63 percent), infiltrating insecure mobile devices, infiltrating insecure web applications, or by infiltrating an organisation via their public cloud.
Considering 19 percent of UK IT professionals admitted that their organisation has at one time had to ignore a critical security incident because it didn't have the skills or time to fix it, is it because enterprises do not have the necessary funds to hire the required number of cyber-security personnel or is it because the level of training provided to IT professionals is not enough to cover the entire range of cyber-risks?
Commenting on the finding, Jake Moore, security specialist at ESET, told SC Magazine UK that while IT security for many large organisations is all about getting the right balance of cyber-security personnel vs training amongst the company as a whole, in most cases it simply comes down to cost.
"Cyber-attacks are sadly inevitable and you will never have enough people, systems or money to prevent or detect an attack. Therefore, you need to invest multiple prevention techniques as well as time and energy into being able to respond and recover," he said.
"There tends to be a lack of training amongst large businesses due to the hidden costs involved when employees are away from their desks but training and countermeasures to large-scale attacks can sometimes be underrated or overlooked. This can be disastrous to a business and it's all too easy to look back in hindsight as to what might have been better suited in place before the attack," he added.
Weds 21st Nov, 3pm
A practical risk-based approach to implementing GDPR and building a security-aware culture in your organisation.
Brought to you in partnership with Metacompliance
Mon 19th Nov
Brought to you in partnership with Mimecast