The majority of businesses lack cyber-security expertise to prevent cyber-attacks and protect customers, according to a recent study.
Cyber-insurance company Hiscox surveyed 4,000 organisations and rated them on a cyber-readiness model that divided respondents into ‘cyber-novices', ‘cyber-intermediates' and ‘cyber-experts' and found that only 11 percent scored highly enough in both cyber-security strategy and the quality of its execution to qualify as cyber-security ‘experts'
Nearly three quarters, 73 percent, fell into the novice category but not for under investment in technology but because firms are failing to support their investment in security technology with a formal strategy, sufficient resourcing and training, and sound processes.
On average, the study fund experts were more proactive with 89 percent having a clearly defined cyber strategy, 72 percent being prepared to make changes after a breach and 97 percent incorporating security training and awareness throughout the workforce.
Researchers noted that divide in cyber-readiness between the cyber-novices and the cyber-experts is mirrored by the firms' expenditures on IT and the proportion of it they devote to cyber-security. The study found the average cyber expert spends US$ 2.5 million (£1.8 million) a year on cyber-defence compared while the average cyber-novice only spends US$ 980,000 (£705,000) although it's worth noting that a higher percentage of firms rated ‘experts' were larger firms which would likely have more resources to dedicate.
Dr. Anton Grashion a manager at Cylance noted the complexity of being expert enough to chase threats into the organisation if they have not been prevented is also exacerbated by the growing cyber-skills shortage.
"Although it was a relatively small data set from which to assess the security expertise of a territory, some of the problem boils down to increasing complexity both in threat landscape and the complexity of building the countermeasures,” Grashion said. “Using the example of the NHS and WannaCry; if the malware had been stopped before it detonated, much of the knock on effect would have been avoided.”
Grashion also noted the basic importance of organisations ensuring all of their systems are patched adn up to date. Experts agree, Ryan Wilk, Vice President of Customer Success at NuData Security said Despite a flurry of high-profile breaches, ransoms and other security incidents, many businesses still think about cyber-security only as an abstract threat.
"The common wisdom amongst security professionals in 2018 is that if you haven't already been breached, you will be," Wilk said. "Companies need to match this sustained threat level with cyber-policies and products that protect them, their customers and employees as well as attempting to raise general awareness of cyber-security."
Wilk added that firms can no longer rely on passwords and usernames to keep themselves safe from cyber-crime, and that more stringent security measures such as passive biometrics or two-factor authentication will need to be adapted.