“Practice makes perfect” is one of the most famous idioms in the English language. But perhaps it’s a phrase still unknown in most IT shops.
According to a survey conducted by Lieberman Software at BlackHat USA 2015, 92% of IT security professionals believe that cyber security drills are a good way to prepare for cyber attacks. Seems obvious enough, right? But here’s the follow up: 63% of the same respondents admitted that their organizations either never run such drills, or only do so once a year.
Here’s the breakdown of responses to the question “How often does your company run cyber security drills?”
- Quarterly: 11.2%
- Every 6 months: 25.5%
- Annually: 32.7%
- Never: 30.6%
Clearly the majority of IT security professionals understand the benefits of running cyber security drills as a means toward proactive cyber defense. After all, many organizations today claim they’re subjected to continuous cyber attacks. It seems like companies would do everything possible to limit the damage of potential cyber intruders. But that’s not what this survey tells us.
Why would only a small percentage of organizations put beneficial cyber security drills into practice? The answer may be found in another portion of this survey.
Executive Management Does Not Heed Cyber Security Alarms
The survey also revealed that IT professionals warn their management about looming IT security disasters, but say it’s the executives who fail to take action. When asked about the obstacles they faced when trying to convince management to proactively deal with cyber threats, respondents said:
- IT does not have a place in the corporate board room: 10.7%
- There is not sufficient budget to rectify the situation: 9.7%
- Management does not understand the severity of cyber threats: 11.7%
- All of the above: 44.7%
- None of the above: 19.4%
- Some combination of the first 3 answers – 3.9%
So, according to this survey at least, IT teams are aware of the consequences of cyber attacks, but can’t convince the C-suite to implement proactive cyber defense. To be fair, this is the response you’d expect from attendees at BlackHat. The show generally attracts infosec professionals from down in the trenches, as opposed to IT managers and executives who make funding and process decisions.
Maybe the takeaway is that executives should learn about the cyber threats targeting their companies, and then gain a good understanding of their company’s IT security defenses.
And with the spate of cyber attacks that frequently make the news, executives would be wise to assume that intruders are already inside their networks. That means they should ensure that their organizations can contain cyber attacks by securing privileged access, and by removing shared and long-lived credentials that intruders exploit to move around the network.
These steps would help mitigate damage and protect the company’s reputation when that inevitable cyber attack does occur. Of course, this would require executives to quit ignoring the advice of their IT teams.