Three out of four organizations have a significant exposure to cybersecurity incidents, and half consider their incident response as no better than ad hoc — or even nonexistent. Disturbingly, energy and government respondents surveyed in a new study by network security firm RSA Security ranked as the industries least prepared to confront a cyber attack. But the financial services sector is not far behind and continues to be outclassed by many other industries that don’t have nearly the sums of money at stake.
The RSA “Cybersecurity Poverty Index” is in its second year of compiling survey results from nearly 900 respondents across the world. The 2016 edition concludes that the majority of organizations fail to make progress on their cybersecurity systems and protocols because they simply do not understand how greatly cyber risk can affect their operations. In all, less than one out of ten (7.4%) respondents reported that they have a mature cyber-defense systems.
“This second round of cybersecurity research provides tangible evidence that organizations of all sizes, in all industries, and from all geographies feel unprepared for the threats they are facing,” said RSA President Amit Yoran.
Cyberattacks cost companies $400 billion USD per year, according to insurance giant Lloyd’s, and “phishing” is among the most pervasive hacker strategies. This style of attack includes an unsolicited attempt — usually through spam email — to trick users into giving up sensitive information, and the most recent Symantec “Internet Security Threat Report” revealed that 52% of all email received within the financial services industry is spam.
Companies in Each Industry with a High Level of Cyber-defense Maturity
Source: RSA, 2016 Cybersecurity Poverty Index
In financial services, insurance, and real estate, the report identified one out of every 2,200 messages to include a phishing attempt. While this may seem like a low number, it is higher than in the energy, transportation, construction, and mining sectors. Additionally, one out of every 310 messages was found to contain malicious code.
But despite this vast exposure in an industry with trillions of dollars at stake and millions of customers in the United States alone, the financial services world still lags behind others in bolstering security. Roughly a quarter (26%) of companies in the sector surveyed by RSA consider themselves well prepared — down from one-third (33%) just a year ago.
One of the key issues identified is that the organizations, in all industries, often don’t take cybersecurity seriously until after they are attacked. Those that are hit are 65% more likely to have highly developed defenses compared to those that have not experienced an incident, according to RSA.
“We need to change the way we are thinking about security — to focus on more than just prevention, to develop a strategy that emphasizes detection and response,” said Yoran. “Organizations need to set their agendas early, build comprehensive strategies, and not wait for a breach to force them into action.”