Rubrik survey shows much work to be done on cyber security awareness
Almost half (49.4%) of Irish companies do not have a policy in place for dealing with a ransomware attack. The stark finding comes from a report by TechCentral in association with Rubrik, the findings of which were discussed at the recent Zero Trust Summit.
The survey of 83 IT professionals delved into the distribution of responsibility for resolving the effects of a cyber attack and how to manage its aftereffects.
Over the past year 73.5% of respondents said their exposure to cyber security threats had increased, with spam and phishing being the biggest persistent threats experienced by 71% of organisations. Malware was noted as the second most prevalent threat (39.8%) followed by identity fraud (25.3%), social engineering and advanced persistent threats (both at 21.7%).
In comparison to a similar survey carried out in 2022, repondents showed a better appreciation of the roles and responsibilities of IT, security and management when recovering from a breach. A total of 76.8% of IT pros said they were either ‘clear’ or ‘very clear’ of their role in the event of an incident.
In terms of priorities for staff almost three quarters of respondents (77.1%) said their organisation had placed a priority on securing talent, however less than half of organisations (41%) were prioritising ongoing professional development for staff.
When it came to relationships with vendors, a good record on sustainability was only considered a priority by 28.9% of respondents. Furthermore, 51.8% said they were either confident or very confident that vendors deliver information on vulnerabilities and security patches in a timely fashion.
What’s most concerning, however, is the level of aftercare for teams stretched to the limits during and after an incident. A staggering 92.8% of respondents said their organisation had no aftercare programme to help manage the lasting stress of a data breach.
What it all means
What does this survey tell us that we didn’t know already from its predecessor in 2022? Mostly that management are becoming more aware of the need for clear cyber security policies, practices and the resources needed to maintain a safe environment.
That respondents in the main reported knowing their role is also good news as it reflects greater focus at management level.
What is concerning is that while there is understanding the importance of cyber security and having a proper chain of command, there remains a knowledge gap when it comes to the mental toll of managing open-ended recovery operations. There also remains a reticence about upskilling, probably on the assumption that ongoing professional development is merely a pathway to a better paying job somewhere else. Both of these points show a short-termist view of managing staff, working with an assumption of high churn and better terms and conditions available at a handful of multinational powerhouses it would be foolish to compete against. ‘Doing more with less’ continues to be the ethos of many organisations.
The wisdom of ‘if not now then soon’ of when organisations will be hacked is to be adhered to, that means looking after the people tasked with clearing up the mess. Hopefully next year’s follow-up will see that message land.