pixel_dreams - Fotolia
Nearly half of 500 IT leaders in the UK, France, Germany and the US believe it is likely that their organisation will face a major, disruptive cyber attack in the next 12 months.
Almost 90% said they believe their organisation is “ready” to face such attacks, but at the same time they are failing to take the right measures, according to a survey commissioned by security software firm Varonis.
The survey shows that four out of 10 organisations are not taking critical steps to lock down sensitive information, putting them at risk of data loss.
Only 66% of US organisations and 51% of EU organisations fully restrict access to sensitive information on a “need-to-know” basis, which means attackers that successfully get onto a network can move laterally across the organisation with relative ease.
The research report notes that the data breach at credit rating agency Equifax demonstrated that attackers can get onto a network and spend weeks or even months stealing sensitive information before anyone knows they have been compromised.
Despite these dangers, eight out of 10 respondents said they are confident or very confident that hackers are not currently on their network.
But the report shows that massive breaches like the one disclosed by Equifax and ransomware attacks such as WannaCry are a wake-up call for organisations to shore up their security, with 80% of respondents reporting that they have changed, or plan to change, their security policies and procedures.
About a quarter of the organisations polled admitted losing data or being hit by a ransomware attack in the past two years. German firms were hit particularly hard by ransomware, with 34% of respondents in Germany reporting a ransomware attack in the past two years.
A sizeable majority (67%) of respondents reported that their organisations have cyber security insurance. These are least prevalent in the US (62%) and most common in France (75%).
Looking ahead to 2018, respondents reported a variety of cyber security concerns, with data theft and data loss topping the list, followed closely by ransomware, cloud and compliance.
“It is encouraging that IT professionals are understanding that it is a matter of when, not if, their organisation will be hit by a damaging cyber attack,” said John Carlin, chairman of Morrison & Foerster’s global risk and crisis management practice. “However, their level of confidence, when it comes to security, is inconsistent with what we see in practice.
“The reality is that businesses are consistently failing to restrict access to sensitive information and are regularly experiencing issues such as data loss, data theft and extortion in the form of ransomware.”
But Varonis CMO David Gibson said that while attackers are upping their game by using more sophisticated, blended attacks, valuable data remains vulnerable to attacks that require little to no sophistication, such as disgruntled employees snooping through overly accessible folders.
“While it is heartening that major security incidents are inspiring preparedness, if the past year is any indication, it is unlikely that the actual security of these organisations aligns with perception,” said Gibson.