Virtually every part of the economy is vulnerable to cyberattacks and few in the world of business know exactly what they need to do to keep themselves safe.
That’s the conclusion drawn from a lengthy white paper authored by FICO, the analytics firm.
The survey of business leaders in the U.S., Canada and several European countries (the United Kingdom, Sweden, Finland and Norway) finds that nearly all companies report that cyberattacks have either increased over the last year or remained steady. Only a miniscule portion of respondents saw the number of attempted hacks decrease.
When IT professionals at companies were asked about what they expected to come in terms of cyberattacks, they were even more pessimistic. Sixty-two percent say they anticipate an increase, while 37 percent predict they will remain at the current rate. Only 1 percent of respondents expect a decrease.
Employees of financial service organizations and telecommunications companies were the most likely to say they expected to see an increase in attacks –– 81 percent and 76 percent, respectively.
Among those who work in media, however, only half say they expect to see an increase. This seems to make sense. While there are certainly hackers who would love to gain access to the emails between New York Times reporters and the anonymous sources who have been leaking them headline-inducing information about President Trump, the industry does not generally have the type of money or personal information that hackers are after.
What is surprising, however, is that only 37 percent of IT professional who work in the health care sector say they expect to see attacks tick up. Health care is often described as the most coveted target for hackers, who can make a pretty penny by gaining access to the personal information included on patient records, including social security numbers, dates of birth and medical information that hackers can use to fraudulently purchase and sell drugs or devices.
The good news is that the same people who believe that attacks will increase also expect their organizations to invest more money in cybersecurity efforts. Fifty-two percent of IT workers believe spending on such measures will go up, while 48 percent believe it will remain stable.
Respondents are divided as to who presents the greatest threat of a security breach, either through malicious behavior or negligence. About 20 percent believe that rank-and-file technical staff represents the greatest threat, while nearly as many believe that senior IT management poses a greater risk. About 15 percent say their greatest concern are external IT service providers, while 14 percent say that everyday business users are the biggest risk.
Many businesses are also bracing for the potential of harmful attacks by purchasing cyber-risk insurance. About 60 percent of businesses surveyed have some type of CRI policy and 80 percent either have one or are considering buying one in the next year.
But as is the case with all types of insurance, not all CRI policies are created equal. Some do not offer comprehensive coverage and some businesses may find after a devastating attack that their policy isn’t much good.
Businesses are also divided on how the premiums they are paying for their CRI policy are crafted. About 19 percent say what they pay is based largely on industry averages, while 25 percent say that their premiums accurately reflect the specific risk profile of their company and 23 percent say that they do not believe the premiums are not based on accurate information.
Finally, the report calls on C-suite executives to assume greater responsibilities for their organization’s cybersecurity. While the survey responses show that most company leaders believe their business is doing what it needs to do to protect itself, only 20 percent say that senior management is regularly involved in the company’s security strategy, note the report authors.
“From the responses received, we have seen a high level of confidence displayed by senior business and IT managers about the strength of their own organizations and their cyber-readiness strategies,” they write. “What needs to be added to this position is clear leadership and a chain of responsibility that starts in the boardroom with C-suite executives. Company directors and the senior management team must have an active involvement in the businesses approach to cyber-protection.”