Most Businesses ‘Complacent’ Over Cyber Security Drills

Nearly all businesses nowadays understand the potential damage posed to their organisations by cyber attacks.

But the vast majority are still not being proactive about their security, and fail even to conduct cyber security drills, according to a new report.

No Preparation

That’s according to a survey from Lieberman Software Corporation, which found that the majority of organisations are still gambling with their IT security.

The study, which was carried out at Black Hat Conference 2015, looked at the attitudes of nearly 150 IT security professionals, and found that 92 percent of IT security professionals believe cyber security drills are a good way to prepare for cyber attacks.

But 63 percent admitted their organisations never run such drills, or only do so annually.

Indeed, only 11 percent of organisations carry out cyber security drills quarterly, while 26 percent conduct them every six months.

“What concerns me most about this survey is that the majority of IT security professionals fully understand the benefits of running cyber security drills, but only a small percentage actually put these drills into practice,” said Philip Lieberman, CEO of Lieberman Software.

“In today’s threat landscape, organisations are attacked continuously,” said Lieberman. “With this in mind, you would think companies would be doing everything they can to limit the damage of potential cyber attacks. However, our study reveals this clearly isn’t the case. And IT teams are fully aware of the consequences.”

Complacent

So who is to blame here? The survey suggests that executive management are often warned by the IT team about pending IT security disasters, but senior management “fails to take action.”

It seems that getting the message to proactively deal with cyber threats across to executive management remains a significant challenge for IT teams.

Indeed, 11 percent of respondents said they couldn’t find a way to give IT a place in the corporate board room. Another 10 percent said they couldn’t find budget to rectify the situation; 12 percent said they couldn’t convince management to understand the severity of cyber threats; and a staggering 45 percent said all of the above.

And it is not as if IT teams do not understand the risks out there, as 81 percent foresee an IT security disaster looming, but can’t convince senior management to take action.

“IT security is a company-wide issue,” said Lieberman. “Any CEO or corporate board who does not realize this will have a nasty shock when their company is attacked, their share price plummets and they lose customers.”

“Corporate boards should learn  about the cyber threats targeting their companies, and should have a good understanding of the company’s IT security posture,” he added. “Executive management should assume that intruders are already inside their networks. They should ensure that their organisations can contain cyber attacks by securing privileged access, and by removing shared and long-lived credentials that intruders exploit to move around the network. This will mitigate damage and protect the company’s reputation when a cyber attack does occur.”

Threat Identification

And it seems that identifying threats remains a headache for many IT management teams, after 64 percent of respondents said it would take their organisation a month, minimally, to identify an advanced persistent threat on their network.

Last year, a Tripwire survey found that the majority of energy IT professionals were confident they could detect a data breach on critical systems within a week, despite industry research that most breaches go undiscovered for weeks, months or even longer.

The Lieberman survey also found that majority (84 percent) of respondents think that unmanaged privileged credentials are the biggest cyber security vulnerability in their organisation.

This is not the first time that Lieberman Software Corporation has exposed worrying security issues.

In June another of its surveys revealed that revealed that 87 percent of IT professionals believe large financial hacks are happening more often than reported; often right under the nose of a security auditor.

How well do you know security? Take our quiz!