The cybercrime landscape changes drastically year-on-year, but businesses remain slow to keep up. In my most recent blog, I asked, “Are Businesses Taking Data Security Seriously?”. After exploring some of the biggest data breaches the world has seen, what stood out to me most was that 83% of the organisations studied in IBM’s Cost of a Data Breach Report 2022 had suffered from more than one data breach. As the saying goes, “Fool me once, shame on you; Fool me twice, shame on me”. A single data breach can be seen as an accident to learn from, but why is the number of repeat-offenders so high?
With this question on my mind, I turned to my LinkedIn network to ask, “What’s the main barrier that prevents executive leadership teams from making data security a priority?”. Given my network is primarily made up of business owners and professionals in the cybersecurity industry, I couldn’t think of a more qualified group to answer my query.
Here are the results:
- 57% of respondents answered, ‘Think it won’t happen to them’,
- 30% of voters chose ‘Don’t have the people/skills’,
- A further 9% answered ‘Budget issue’,
- And the remaining 5% voted for ‘Other’
The results are varied. It’s a complex issue, and there’s certainly no single reason why data security isn’t made a priority, but some barriers hold greater weight than others. Let’s explore these answers further.
Think it won’t happen to them
With more than half of respondents providing this answer in the poll, it’s clear that this age-old thinking is still relevant in 2022. Despite constant warnings in the media, growing victim counts each year, and the fact that “more than 80 percent of U.S. companies indicate their systems have been successfully hacked in an attempt to steal, change or make public important data”, business leaders are still falling into this naïve way of thinking.
With boards and investors to answer to, the risk for large businesses is extra high. I can’t accept that cyber and infosec professionals are so foolish, which can only mean that they are not equipped to influence the higher echelons of executives and decision makers.
For small-to-medium businesses, perhaps they are falling into this trap. Last year, a study conducted by CNBC and Momentive questioned more than 2,000 small business owners across the United States and asked how prepared they were for a cyberattack. The results found that:
- 56% of participants in the study said they were not concerned about falling victim to a cyberattack in the next 12 months
- 24% had no concerns about an attack
- 59% believed they could quickly recover from an attack,
- 42% admitted to having no response plan in place, and
- 11% were unsure
Perhaps due to their size they believe they’re off the radar of cybercriminals, but it’s a dangerous and frankly unrealistic way of thinking, particularly given the fact that over 50% of all cyberattacks are carried out on SMB’s.
Don’t have the people/skills
The COVID-19 pandemic escalated cybersecurity concerns in a way that few could have predicted. More than two years after the onset of the pandemic, many businesses have switched to remote or hybrid work models, and the threats to data security are greater than ever. Consequently, the demand for cybersecurity personnel is at an all-time high, and with an estimated 3.5 million unfilled positions in the industry worldwide, it’s evident the workforce is simply unable to keep up.
Finding and retaining qualified people to fill critical cybersecurity roles is currently one of the biggest challenges for businesses looking to protect themselves. A recent study which involved global leaders found that:
- 60% struggle to recruit cybersecurity talent
- 52% struggle to retain qualified people
- 67% agree that the shortage of qualified cybersecurity candidates creates additional risks for their organisations
In response, large businesses are taking matters into their own hands. Earlier in the year, Commonwealth Bank started a pilot program to train a new cohort of cyber security professionals. The program saw 50 staff, including “senior leaders in cyber, risk managers, change managers, talent acquisition partners, behavioural analytics specialists, members of [their] scams team, branch managers, institutional bankers, private bankers, cloud specialists, engineers and fraud specialists” go through an intensive 12-week masters-level course at University of New South Wales to increase their cybersecurity knowledge and skills.
Similarly, in June 2022, Deloitte announced that they had set up their own innovative Cyber Academy program, which was co-designed with the Australian Government to help close the gap on the skills shortage in the industry. The “earn as you learn” program is expected to fast track the careers of 1,200 Australians and allows them to earn a wage while completing their studies. At completion, the graduates will emerge with a Diploma of Information Technology and a Bachelor of Computer Science from TAFE NSW, University of Wollongong, or Swinburne University of Technology.
Unfortunately, many SMBs are unable to compete with innovation at such scale. The inability to develop their own talent and to compete for cybersecurity professionals means small businesses may continue to have unfilled roles, putting their organisations at greater risks of attacks.
Budget Issues
Almost one in ten of the respondents said that budget issues were likely a barrier. The cybersecurity threat landscape changes so rapidly, that the spend required to prevent attacks must be reviewed each year. In 2019, the average spending on cybersecurity was only 5% to 8% of the overall technology budget. However, from 2020-2021 Gartner discovered that worldwide cybersecurity spend increased by 17.5%, and their 2021 CIO Agenda Survey showed that more than 61% of the 2,000 CIOs that were surveyed had increased the investment in cybersecurity that year, and stated that it was the top priority for new spending. It's a promising sign and suggests that budget is likely not the barrier that some may think.
I’m interested to know your opinion on that matter. With the constant reminders of data breaches in the media and the growing costs of cybercrime, do you believe business executives are still naïve enough to think they won’t suffer a cyberattack? Or do you think there are other underlying issues that prevent executive leadership teams from making data security a priority?
Keeping businesses safe and secure
Prevention is always better than a cure, and the best defence is to encourage businesses to proactively boost their company’s cyber resilience levels to avoid threats landing in inboxes in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for businesses to fortify.
No one vendor can stop all threats, so it’s crucial to remind customers that if they are using Microsoft 365 or G Suite, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a third-party cloud email solution like MailGuard.
Talk to us
MailGuard's partner blog is a forum to share information and we want it to be a dialogue. Reach out to us and tell us how we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.
Australian partners, please call us on 1300 30 65 10
US partners call 1888 848 2822
UK partners call 0 800 404 8993
