Why U.S. Firms Are Less Cyber-Secure Than They Think

eWEEK DATA POINTS: In a world in which smart companies such as Facebook, Yahoo and Target can fall victim to hackers, how prepared can regular businesses of all types be?


The U.S. certainly is a divided nation around many issues right now, but concern about cybersecurity as a threat to a majority of U.S. enterprises isn’t one of them. Everybody agrees on that one.

A majority of participants in a recent survey enabled by FICO understand and recognize the risk of data breaches and expect them to increase, but they also believe they are better prepared than their competitors. FICO, originally Fair, Isaac &Co., is a data analytics company based in San Jose, Calif. focused on credit-scoring services.

However, in a world in which smart companies such as Facebook, Yahoo and Target can fall victim to hackers, how prepared can they be? Five hundred senior executives, most of them IT managers, participated in the research, which was conducted by Ovum.

The following eWEEK Data Points article features highlights of the research.

Data Point No. 1: Businesses aware cybersecurity threats exist

Two-thirds (63 percent) of survey respondents said they expect the overall level of cyber-threats and data breach activity to go up over the coming year. Thirty-three percent reported an increase in cybersecurity attacks, and 57 percent reported experiencing the same volume as last year–when 61 percent of organizations already reported experiencing an increased number of cybersecurity attacks.

Data Point No. 2: Prepared for cybersecurity threats

More than two-thirds (68 percent) percent of respondents considered their cybersecurity defenses above-average (31 percent) or among the best in their industry (37 percent); 93 percent believe their company’s senior management had sufficient focus on preventing breaches; and 57 percent expect an assessment of their cybersecurity defenses a year from now will conclude their readiness has improved.

Data Point No. 3: Risk assessment strategies in place

Perhaps one reason for the respondents’ confidence is the range of risk assessment strategies they have in place: Thirty-seven percent reported using software that gauges their risk of a breach, 27 percent reported carrying out a risk assessment using an external agency, and only 13 percent didn’t have a risk assessment strategy in place at all.

Data Point No. 4: Few concrete cyberdefense plans

When it came to tangible methods of protecting their company’s data, however, only 29 percent of respondents had a tested data breach response plan; 23 percent had a board member responsible for cybersecurity; 23 percent had ongoing monitoring, scoring, and reporting service for cybersecurity risk; and 25 percent had board-level reporting strategies and mechanisms for highlighting their organization’s security status.

Data Point No. 5: With friends like these …

Studies show that more than half of data breaches are initiated within the supply chain, yet only 31 percent of respondents reported regularly benchmarking their partners’ cybersecurity risk against their own. While it has become commonplace for cyber-risk assessment to be part of the procurement process, few companies are carrying out more than a periodic risk assessment, and 28 percent admitted to never updating an initial assessment at all.

Data Point No. 6: Insured – well, sort of

Seventy-six percent of U.S. organizations now report having cyber-risk insurance, but only 32 percent have insurance that is comprehensive. The health care industry was the least likely to have cyber-risk insurance, with only 30 percent currently insured, though another 40 percent are planning on taking out insurance in the coming year. Many U.S. organizations (73 percent) don’t believe that their premiums are based on an accurate assessment of their risk profile. Most organizations (33 percent) say their premiums are based on averages for their industry.

Data Point No. 7: The risk from within

When we asked about the threat posed by those who had access to systems and networks, internal risk--from their own employees--is perceived as being much higher than risk from external IT providers and third-party contractors--81 percent versus 15 percent and 4 percent, respectively. The majority of respondents are in senior IT positions, so it is interesting that the largest number of respondents, 55 percent, consider the biggest threat to be coming from their own organizations.

Data Point No. 8: We raised them well

Despite seeing a large proportion of their cybersecurity risk as internal, 85 percent of respondents believed their employees had sufficient knowledge of how to prevent breaches. It seems that education and knowledge are not driving the desired behaviors.

Data Point No. 9: Every industry for itself

It’s worth noting that when we divided the answers by sector there was a high level of divergence. Only 39 percent of telco-related respondents expect attack rates to rise, compared to 80 percent for financial services and retail and e-commerce. This could be a reflection that the volume of attacks in the U.S. is starting to stabilize after a period of significant growth--or that cyber criminals are targeting their attacks against certain types of organizations, perhaps those they perceive as having the weakest defenses.

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor-in-Chief of eWEEK and responsible for all the publication's coverage. In his 15 years and more than 4,000 articles at eWEEK, he has distinguished himself in reporting...