The foremost concern facing organizations across all sectors is the persistence of cyberattacks and other threats that jeopardize their operational continuity. Among these threats, ransomware is at the front of the pack, with its impact escalating as cybercriminals continue to amass substantial ransom payments.
That said, ransomware is one facet of the multifaceted threat landscape. Organizations grapple with a diverse array of risks emanating from external and internal sources that span from deliberate human actions to naturally occurring vulnerabilities. Adding to this complex panorama is the impending specter of AI wars, a threat on the horizon that looms ever closer.
These challenges raised questions – questions from InformationWeek, a business technology resource: “how well-prepared are modern companies to confront these threats? Are their cybersecurity champions experiencing burnout in the face of relentless challenges, or are they rising to the occasion with unwavering enthusiasm?” The questions are what prompted InformationWeek to conduct a study, and the findings were appalling.
“Our survey asked respondents what types of events, including cyberattacks, caused major disruptions to their IT systems. They told us that increasing attacks by malicious actors are making it more difficult for organizations to maintain IT operations after an incident; but it’s much more complicated than that,” said Sara Peters, editor-in-chief of InformationWeek. “Many of the decisions that CIOs and CISOs have to make during a crisis aren’t about technology; they’re about business and risk.”
With all the talk surrounding cybersecurity, most would expect cyber risk mitigation investments to be high, right?
Well, that was not the case as cyber risk mitigation investments are not the bulk of budget allocations for most companies. Almost 40% of respondents allocate less than 10% of their annual IT budget to cybersecurity, one-third dedicate between 10% and 24% of their budget to cybersecurity, and 16% spend between 25% and 49% of their budget on protecting their company from cyberthreats.
This allocation of budget for cybersecurity is a cause for concern because it reflects a potential mismatch between the level of cyber risk and the resources dedicated to mitigating it. Allocating a relatively small portion of the IT budget to cybersecurity suggests that many companies may not be adequately prioritizing or investing in measures to protect themselves from pervasive and increasingly sophisticated threats.
Looking deeper into the budget allocations, the study found that the cybersecurity investment is typically split between defense at 70%, such as technologies and talent expenditures, and rebound at 30%, like business continuity, disaster recovery, data backups, cyber insurance and ransom money.
Rebound is the key here because a strong defense strategy may not be enough to hold the attackers back. A company must rely on the strength of its rebound plan. The best way to gauge the incident response effectiveness is to test it, yet nearly one quarter of companies surveyed have never conducted tests or are unsure if their teams have tested with tabletop exercises or other measures.
Backups top the list of tools and procedures used by respondents, yet half of respondents report they include misconfigurations in their cyber resilience plans, and 43% include planning for severe weather events.
Additionally, nearly half of companies reported carrying cyber liability insurance either as a standalone policy or as a rider on a larger business insurance policy. Of those with cyber insurance, 84% believe the protection is worth the expense.
Cyber insurance provides benefits, such as financial protection in the event of a cyberattack, coverage for legal and regulatory expenses and assistance with the costs of recovering from a breach. For some organizations, especially those with limited cybersecurity resources, yes, it is a valuable safety net.
“Cyber resilience and cyber incident response plans are expanding to include supply chain breakdowns, cloud computing outages, geopolitical events, AI-related threats, death, climate change and more,” said Peters. “Many technologies are implemented to maintain resilience, and solid backups remain the number one answer.”
The state of cybersecurity is still in the realm of underdog status given the continuous and rapid rise of new and ever more sophisticated attacks. However, cybersecurity is far from being a hopeless endeavor. Against the odds, 61% of those surveyed reported high satisfaction among their cybersecurity teams, despite the scarcity of resources.
“The challenges seem insurmountable sometimes, and the fact that our readers approach cyber resilience so bravely is impressive,” said Peters.
Edited by
Greg Tavarez
