Three quarters are exposed to increased IT risks
A new RSA study shows that most organizations' security strategies remain patchy. Nearly half of companies are unable to assess, catalog or mitigate IT risks, or can do so only on a case-by-case basis, it says.
Around three quarters of IT security programs in companies and public authorities still have critical gaps. That's according to the latest "Cybersecurity Poverty Index Report" published by RSA recently published. According to the EMC subsidiary's report, the ability to respond quickly to security incidents is lacking above all: Around half of the organizations surveyed described their own "incident response" as "ad-hoc" or even "non-existent" - including many critical infrastructure operators.
Other key findings of the report: IT organizations that invest specifically in technologies to detect and limit attacks often achieve greater protection than others that spend most of their money on prevention technologies (i.e., firewalls, for example). What's more, many companies only invest more in IT security after they have been the victim of a business-damaging attack. However, many fail to improve their own protection programs because they do not understand exactly how IT risks affect their business.
Only 7% with very good protection
The report shows a clear correlation between the ability to notice attacks and the IT security maturity level: companies that frequently record irregularities in or attacks on their IT environment are 65-%iger likely to have advanced or even very advanced IT security strategies and technologies.
But as the report also shows, the number of these companies remains low, even though it appears to be growing: the proportion of very well protected IT environments in the overall sample was 7.4% (previous year's edition of the report: 4.9%). By contrast, the number of respondents who consider their own operations to be affected by IT risks remains high: around 75% of survey participants gave a corresponding assessment.
Often lacks the ability to prioritize
This could be related to the fact that many companies find it difficult to initiate proactive security measures: 45% of respondents said their organizations were unable to catalog, assess or reduce IT risks at all or only on a case-by-case basis; only 24% of survey participants rated their IT's corresponding capabilities as advanced.
Above all, the inability to specify precise tolerance values and thresholds for certain risks makes it difficult for those responsible to prioritize investments or countermeasures - although this is one of the most important prerequisites for IT security in the company.
EMEA region leads the way in safety
Like last year's edition, the report shows that the difficulties described also and especially affect operators of critical infrastructures. Public authorities and other public enterprises, as well as energy providers, even performed the worst in the comparison of IT security maturity levels: Only 18% of the operations in this group rate their own security programs as advanced or very advanced.
Companies in the financial sector do not appear much better equipped: although they are often described as leaders in IT security, only 26% of the financial service providers surveyed achieved one of the top two maturity levels out of the five - a significant drop from the previous year's figure of 33%. By comparison, of the companies surveyed in the aerospace and defense industry, 39% still have advanced or very advanced security programs.
The countries of the EMEA region (Europe, Middle East and Africa) lead the regional comparison in the report; here, 29% of the companies and authorities achieve an advanced or very advanced IT security maturity level. In second place are the countries of the Asia-Pacific region, including Japan, with 26%, and bringing up the rear is the Americas region with 23%. While the EMEA region improved by three percentage points and one place compared with the previous year, the APJ region lost 13 points and therefore dropped to second place. Text: RSA
About the study: For the Cybersecurity Poverty Index Report, IT and security professionals from 878 companies, 24 industries and 81 countries were asked to rate their organization's IT security maturity. Self-assessment was conducted along the basic capabilities of "Identify," "Protect," "Detect," "Respond," and "Recover" captured in the "NIST Cybersecurity Framework" (CSF). Participants rated the maturity of each capability in their organization using a five-point scale (1 = "capability not present," 5 = "capability at a very advanced level").
