New research, entitled “Cybersecurity: Prevention Is Better than the Cure”, examines with a critical eye the amount of time and resources that organisations spend on reactive versus preventative cybersecurity measures and the rationale behind their decisions.
Produced by Tanium, the study surveyed UK-based IT decision makers across a variety of industries including public sector, financial services, healthcare, and retail. The most notable finding was that 90 percent of Director level respondents whose organisations have experienced a cyber breach agreed most cyber attacks were avoidable. Despite this awareness, the study shows that IT teams neglect to implement preventative cybersecurity measures for reasons such as a shortage of technical skills and budget-allocation delays from boards of directors.
“Many organisations focus too much on cybersecurity point solutions like antivirus, rather than adopting a holistic, data-driven approach to prevention,” said Oliver Cronk, chief architect, EMEA, at Tanium. “As our research shows, many damaging security incidents – even those resulting from more sophisticated attack vectors – could have been prevented. In fact, more than half of the breaches we see could have been avoided by maintaining baseline cyber-hygiene standards. The current situation is the equivalent of leaving your front door and windows open and only locking them after a burglary has taken place.”
Key findings include:
Most damaging cyber attacks suffered by UK organisations are preventable.
- The 90 percent of Director level respondents agree that ‘the majority of cyberattacks that we have experienced within our organisation have been in some way avoidable’.
- 86 percent of organisations compromised by a breach in the last six months believed that more investment in preventative measures (such as tools or staff training), would have minimised incidents.
- 92 percent of organisations surveyed have experienced a breach at some point in the past, 82 percent within the last 24 months, and 73 percent in the last 12 months.
Boards only approve new cybersecurity funding after incident has occurred.
- 80 percent of C-suite decision makers believe the risk of cyber threats is increasing and expect 2022 to be the worst year yet in terms of the number of attacks.
- For IT decision makers that experienced a cyber attack in the last six months, 86 percent feel that senior leadership is likely to invest in cybersecurity only after suffering an attack; 75 percent state that “some cybersecurity incidents needed to happen” in order to get increased investment from leadership.
- Loss of productivity resulting from downtime is cited as the most damaging impact of a cyber attack (56 percent of all respondents).
Preventative approaches are missed opportunities for IT teams.
- Almost seven in ten respondents believe that a predominantly preventative approach to cybersecurity is best (68 percent); a primarily reactive approach is favoured by only 32 percent.
- The skills gap and overwhelmed IT and security teams have caused preventative security measures to take a lower priority. More than half of organisations (55 percent) agree that there is insufficient staff or resources to focus on preventative security measures.
- Larger organisations are more likely to adopt a preventative approach, with 70 percent of organisations with 500+ employees citing prevention as preferable. Sixty percent of organisations with 250-499 employees agreed.
- 85 percent of all respondents surveyed agreed that there is a greater cost to recover from a cybersecurity incident than to prevent one.
A crucial element of preventative strategies is cyber hygiene, which refers to a set of habitual practices that help to secure networks and data. For example, consistent and timely patching is a fundamental element of a sound cybersecurity posture. But to be effective, organisations need to understand where vulnerabilities exist and have the ability to address them quickly and easily. The Tanium platform has these capabilities and others that help organisations strengthen cyber hygiene.
Click here to read the full ‘Cybersecurity: Prevention Is Better than the Cure’ report which includes more interesting findings about the attitudes of IT decision makers towards preventative cybersecurity strategies.
Methodology
Arlington Research conducted an online survey across the UK with IT security decision makers across organisations with 250 or more employees, between 22 December 2021 and 5 January 2022.
Three hundred interviews were completed including 232 interviews with enterprises with 500 or more employees (77% of the overall respondent base) and 132 interviews completed with larger enterprises with 1000+ employees (44% of the overall sample). Fifty-five interviews were conducted within the public sector (including universities), 50 interviews were achieved across banking and finance organisations, and 78 interviews were completed in technology orgs. Organisations also took part in the research from Manufacturing, Retail, Telecom, Healthcare and Independent Education.