Organisations ‘wait for attack before defending themselves’, says security report

A survey, conducted by digital security provider Tanium, of UK IT decision makers who had recently experienced a cyber attack found that 86 per cent think that senior leadership is ‘only likely to invest in cyber security after suffering a damaging attack’.

Of those polled, 75 per cent of respondents in Tanium’s ‘Cybersecurity: Prevention Is Better than the Cure’ report stated that ‘some cyber-security incidents needed to happen’ in order to get increased tech investment from their leaderships.

“Net new funding is weighted more towards the remediation of breaches once they’ve happened,” said Oliver Cronk, chief IT architect EMEA at Tanium. “The situation is the equivalent of a business leaving the front door and windows of its offices open and only locking them after a burglary has taken place.”

The report, launched at Infosecurity Europe 2022 this week, also found that loss of productivity resulting from downtime is cited by 56 per cent of respondents as the most damaging impact of a cyber attack, rather than other repercussions such as loss of intellectual property or reputational damage.

“Attitudes towards cyber security vary between different vertical sectors, just as they do within organisational hierarchies,” Cronk said. “Our survey data shows that the banking and university sectors, for example, are mostly concerned about the financial impact of a breach, whereas private healthcare, technology and telecoms firms are more worried about the loss of productivity during downtime.”

Other listed concerns include reputational damage (48 per cent) and loss of intellectual property/data (46 per cent).

“Respondents’ concerns over the impact of reputational damage following a major data breach seem to have become less prominent,” added Cronk. “This is possibly because the public and the media seem less interested in the kind of big-name breach incidents that were in the headlines in 2018 and 2019.”

More detailed information is available on Tanium's blog, from which the full report can also be downloaded.

Yesterday, a cyber-security expert from SecureAge used the start of this year's InfoSecurity Europe expo to warn that all data should be treated as sensitive by organisations and that businesses should urgently reappraise the overall value of their total data assets.

The IET’s Cyber Security for Industrial Control Systems includes advice on how to build pro-active security systems for critical infrastructure. The conference takes place 8 -9 September 2022 at IET London: Savoy Place, with online attendance also available. theiet.org/cyber-ics