Employer overconfidence, skills shortages in cyber security
Despite concerns over skills shortages and the increasing volume and sophistication of cyber attacks, Irish organisations at a senior level appear to be somewhat overconfident in their ability to deal with cyber threats.
According to new research by Amarach Research and Microsoft, nearly half (48%) of senior decision makers in larger Irish organisations agree that their organisation is well secured against advanced cyber-threats, a further 2% strongly agree.
Close to two thirds (59%) of government organisations agree they are well secured against advanced cyber threats.
The research was carried out among more than 200 senior decisions makers in organisations in Ireland with 250 or more people, in public and private sector and focused on cyber security from the employer perspective. It builds on previous research which focused on employee habits and practices.
This apparent confidence to meet cyber security threats seems at odds with the experienced incidence of cyber crime as the majority (70%) of organisations admit to having experienced problems with phishing, hacking, cyber fraud and other cyber attacks.
Of such threats, the primary concerns were around:
- 62% Inadequate password and security practices
- 59% ransomware attacks
- 56% growing sophistication and volume of threats
- 50% loss of data
The report cites Cyber Ireland figures that there are 2,500 unfilled roles in cybersecurity, with a predicted 3.5 million unfilled jobs globally by 2021.
With regard to finding someone with cyber security skills, 13% say it is very challenging, 41% say challenging, with only 19% saying it is either not very or not all challenging.
Somewhat at odds with the above metrics are 1 in 4 who say they are confident their organisation can respond to any security incident effectively, but yet this rises to 33% among government organisations.
“Overall we see a lack of confidence amongst Irish companies regarding their approach to digital security and access management. A gap exists between an organisations’ view of how secure they are, versus the reality where their organisational security habits are leaving them open to data loss or hacking. Iterative security policies, and poorly implemented planning have spawned some bad employee habits that opened up specific areas of potential risk that this report will talk about in more depth,” said Des Ryan, solutions director, Microsoft Ireland.
“Enterprise security is as much a reputational priority as cash flow or quarterly earnings. It needs to be a foundational element of any major organisation, reinforced with a consistent set of policies, practices and training across the four key areas of security outlined in this report.”
The report firmly argues that it is time “to start talking about security as a differentiator, money saver, and foundational element in every enterprise strategy”.
“This is not simply another report about the importance of cyber security but more of a business case for prioritising security. For example, productivity is paramount for today’s enterprise, but productivity grinds nearly to a halt when security lapses occur. In fact, a quarter of a company’s attack costs are attributable to downtime, according to recent Microsoft research.”
Identity and access management (IAM) is highlighted as an area requiring improvement, with issues reported around too many portals and too many passwords; escalating number of password reset calls to Help Desk and rising costs; and lack of visibility and control across environments.
Almost two thirds (63%) of employers would welcome alternatives to passwords, 25% of those in government sector would.
Among the password alternatives, dual device access was preferred by most, followed by geo location verification, and biometric verification.
The report says that only a third of senior managers agree completely that their organisation’s access management security is strong, falling to 1 in 4 for those employing under 500 staff. By contrast, nearly two thirds (65%) of senior decisions makers in organisations in Ireland believe their password policies are best in class.
To address some of these issues and concerns, a majority (69%) of organisations are planning to hire someone with cyber security expertise into the organisation, while nearly half (49%) of businesses say they will increase their investment in digital security, increasing to just over two thirds (67%) for government organisations.
Of those investments, just over two thirds (67%) will invest in software, two thirds (66%) will invest in training, with less than half (47%) intending to invest in hardware, and less than a third (31%) in recruitment.
The report suggests that, as cybersecurity threats increase in scale and sophistication, IT decision makers in Ireland’s largest firms are looking at new ways of responding to these threats and are prepared to invest in the means to secure their business operations in future.
The two thirds who will invest in training is supported by expressed concerns over the risk of employees exposing the company to digital security risks. Nearly four in 10 (38%) were worried or extremely worried, with the same being a little worried.
The report concludes by saying, “We began by noting the growing threat posed by cybersecurity breaches on a global scale. But we also noted that cybersecurity isn’t just an IT issue: it’s a business issue.
“Those firms that make the right investments in cybersecurity — for their employees as well as for their customers — will not only enjoy greater security in terms of day-today business operations, but they will also enjoy higher levels of staff and customer satisfaction as services remain secure, flexible and easy-to use.
“But we should also note the gaps that exist between employees’ experiences of security in their firms and what employers say. Unless that gap is closed — and employees feel that their own cybersecurity resources and skills are properly developed — then the investments made in cybersecurity in the years ahead will not deliver their full potential to either the organisation, nor the employee.”