By Haley Nolde
The first time you received notification from a company that your information had been compromised in a data breach, you probably felt concerned, maybe even a bit panicked. You likely read the entire message and may have taken the company’s suggested next steps. If you’ve since grown a little numb to these missives warning that your name, home address, email address, and, perhaps, your payment information now belong to unknown hackers, and concluded that the risk is worth the convenience, you’re not alone.
It’s much the same for companies. In spite of an uptick in cyberattacks, most recently an incident compromising up to 1,500 companies around the world that use software provider Kaseya (which includes one of Sweden’s largest grocery store chains), cybersecurity is not treated as a top concern within a large percentage of organizations, no matter their size. McIntire Professor Chris Maurer, with University of North Texas colleagues Kevin Kim, Dan Kim, and Leon Kappelman, investigated cybersecurity practices within individual organizations to determine how they’re changing over time. An overview of their research, “Cybersecurity: Is It Worse Than We Think?” published recently in Communications of the ACM, analyzes where organizations are showing improvement, where they’re stagnant, and why.
Just like consumers, organizations have developed a sense of resignation—a not-if-but-when mentality—regarding breaches in security, the authors conjecture. Since cybersecurity prevention measures rarely offer a clear ROI and may hinder productivity and innovation, it appears as though risk tolerance within organizations has risen.
“Our findings are particularly troubling, given the recent increase in attacks causing physical disruption to business operations,” says Maurer. “Consumers may have accepted the fact that their personal information is likely to be stolen, but attacks that restrict the supply of fuel/energy, healthcare, or other critical services can have devastating consequences. A ‘wait-and-respond’ approach is simply untenable, and I hope this research serves as a wake-up call for business leaders.”
How Ready Are You?
To gather data on changes in cybersecurity practices over time, the researchers assigned study participants an overall readiness score based on their implementation of three out of five standard best practices. They asked survey respondents whether their organization:
• Has a chief information security officer (CISO) or equivalent
• Requires cybersecurity training for employees
• Considers cybersecurity during software development, change management, IT procurement, and/or overall business strategy
• Measures and evaluates cybersecurity performance
• Has cyber insurance coverage
From 2016 to 2019, Maurer and his team surveyed a sample of organizations ranging in size and revenue, with many respondents participating in multiple years. For organizations that supplied responses for two consecutive years, they then compared cybersecurity readiness scores with organizational prioritization of the issue.
Walk the Talk
“We believe there is a harsh reality lurking beneath the surface within many organizations,” the authors state. They cite an annual study conducted by the Society for Information Management, which ranks IT management issues of greatest concern to organizations, and note that cybersecurity has landed in the top 10 for a decade, and took the #1 spot for the last three years. Responses to the team’s survey, however, reveal that only a relatively small percentage of organizations treat it as such.
“While they may be saying the right things in public to satisfy investors, underwriters, and customers, there is an apparent lack of urgency in promoting a truly resilient and secure organization,” the researchers observe.
Their analysis shows that most organizations fail to treat cybersecurity as an enterprise-wide priority. Many appear reluctant to hire CISOs and to offer cybersecurity personnel a seat at the planning table. Survey responses show a minimal increase over the four-year period in cybersecurity involvement in overall business strategy, and decreases in involvement with software development and IT change management. More commonly, risks are addressed in a limited way within the framework of IT procurement, when organizations purchase IT components or engage third-party systems to facilitate cloud use and vendor-supplier systems.
Leaders and Laggards
There is good news. Perhaps unsurprisingly, organizations that openly prioritize cybersecurity have better readiness scores and greater year-to-year improvement. Organizations deemed “leaders” by the researchers prioritized cybersecurity in two consecutive years; “laggards” did not give the issue priority in either reporting year. “Upgraders” made cybersecurity an organizational priority the second year but not the first, while “downgraders” made the opposite shift. Their analysis indicates that, while upgraders see the greatest increase in their average readiness score, organizations that turn their attention away from cybersecurity see virtually no improvement.
The four-year span of Maurer’s study produced dramatic increases in the purchasing of cyber insurance. “Fewer than half of organizations had such coverage in 2016, but nearly two-thirds were covered in 2019,” the team notes. While certainly a step toward greater resiliency, transferring risk to a third party through insurance is no cure-all, they warn, as coverage does not begin to offset financial and reputational losses. While some organizations have used cyber insurance to cover ransomware payments, insurance companies have responded to the increased attacks by placing caps on ransomware coverage.
“As such, much of the risk is being placed back onto organizations,” Maurer says, “so it is imperative that they continue to shore up their defenses to prevent such losses in the first place.”
Since 2016, organizations’ consideration of cybersecurity in IT procurement also notably improved. As nearly 60% of reported breaches in 2018 involved third-party systems or failures, IT procurement was a clear choice for adding security provisions.
Fortify the Defenses
Given the ubiquity of cybersecurity threats and organizations’ repeatedly stated concerns about them, Maurer and his colleagues conclude that “a surprising lack of progress is being made.” Business leaders know the steps to take to render their organizations more secure, but it’s another thing to implement them. As is true in the face of any risk, from pandemics to wildfires or even home burglaries, for example, many individuals don’t take precautions that cost money, time, or opportunity until they’ve had a personal brush with a threat that brings it close to home.
Cybersecurity breaches to organizations small and large are growing more frequent and more damaging. High-cost, high-profile cases such as the recent hackings of the Colonial Pipeline, meatpacking giant JBS, and Kaseya may raise enough alarm to prompt organizations to fortify their overall readiness.