93% of security decision makers are being kept awake at night

A new research report by CSI Ltd looking into the top concerns of cyber security decision makers finds that 78% believe the current cost-of-living crisis will increase the risk of a cyber threat occurring in their organisation. This finding was especially prevalent in the healthcare (84%) and financial services (86%) sectors.

  • Wednesday, 1st February 2023 Posted 1 year ago in by Phil Alsop

The vast majority (93%) of those surveyed are currently being kept awake at night worrying about organisational security issues. The top three issues reported were lack of cyber security skills within the organisation (30%), limited resources within the IT team (29%) and old IT infrastructure (27%). 25% of cyber security decision makers were also worried about third party suppliers leaving them vulnerable to a cyber-attack.  

 

Leyton Jefferies, Head of Cyber Security Services, CSI Ltd, comments, “The cost-of-living crisis is very attractive for threat actors looking to prey on victims who may be more vulnerable than normal. Criminal opportunists understand that resources are increasingly being squeezed and constrained and employees may be less diligent about clicking on links. Unfortunately, it presents the perfect landscape for them to thrive. The paranoia in the healthcare and financial services sectors may be due to recent high-profile breaches and a greater understanding of the power of the data that they hold. Of course, the positive that we can take away from this is the level of awareness and an obvious reluctance to brush off the perceived risk. Cyber security decision makers appear to be going into this recession with their eyes wide open.” 

 

Nick Westall, CTO, CSI Ltd, explains, “While the level of security concern exhibited by cyber security decision makers may be justified, operationalising this mentality across the whole organisation will be one of the biggest factors to tackle this year. Effective cyber hygiene relies on fostering a zero-trust culture which assumes that every user and device accessing a network is a potential threat. To make this happen, involvement across the C-Suite is needed to ensure that cyber security investments are worthwhile and effective, and that security training is implemented at every level.”  

 

For respondents in the healthcare sector, a lack of budget was a top concern (30%). This is particularly worrying for an industry where the perceived risk is higher.  

 

But one of the reasons why this was not a top worry of other sectors may be down to a greater understanding of the cyber security challenge at board level. Gartner recently found that 88% of boards now regard cyber security as a business risk rather than solely an IT problem.  

 

However, this acceptance of responsibility isn’t true in all cases. CSI Ltd’s research found that almost 1 in 3 (28%) of those in larger organisations (10,000+ employees) say the board don’t take cyber security seriously enough, demonstrating that more collaboration is required. 

  

To protect organisations in challenging economic times, CSI Ltd recommends the following security controls alongside an effective employee education programme: 

 

Immutable backup and disaster recovery. Organisations should regularly perform immutable backups; a file that can't be altered in any way. It should be able to deploy to production servers immediately in case of ransomware attacks or other data loss. 

Endpoint detection and response (EDR). Install antivirus solutions to protect endpoints against malware, viruses, and other attacks. 

Managed detection and response (MDR). Using a cybersecurity service that combines technology and human expertise will perform more effective threat hunting, monitoring, and response. The main benefit of MDR is that it helps rapidly identify and limit the impact of threats without the need for additional staffing. 

Security Orchestration, Automation, and Response (SOAR) Streamline security operations in three key areas: threat and vulnerability management, incident response, and security operations automation. 

Patch management. Consistently implement patches and updates. 

Multi Factor Authentication. Verifying a user’s identity before allowing access.