IT teams and management at odds over security policies, survey finds
New Zealand organisations are struggling to manage the multitude of issues surrounding cyber attacks - and many executives can't even agree amongst themselves, a new study by Perceptive on behalf of Kordia has found.
According to the survey of 180 IT decision makers, medium-sized businesses are open to attacks, leaders have little confidence in data breach policies; and executives from the technical and business side cannot agree how to approach information security.
The research found that businesses are relatively well prepared to respond to attacks, there are gaps. Security is still just an IT issue rather than a company-wide discipline.
70% of respondents of organisations that have security policies are confident they can prevent a breach - however 46% CEOs and general managers disagree.
"Cyber attackers thrive in gaps. While it's good to see that most businesses are aware of the necessity for sound information security policies, procedures and enabling infrastructure, more needs to be done – particularly around training and policy implementation. And the 'she'll be right' approach taken by medium-sized businesses is potentially leaving them wide open to attack," says Scott Bartlett, Kordia Group CEO.
82% of respondents in organisations with more than 200 employees said there are enough tools to help them make informed security decisions - compared to 58% of those with 50-99 employees.
"Businesses with 20 to 99 employees are less well prepared as they likely don't have the budget, the skills or the inclination to focus on information security. Instead, energies are more likely to be focused on operational issues," Bartlett says.
70% of respondents overall said their organisation has security policies or training, but only 58% of medium-sized businesses have them.
The survey also picks up a lack of communication between chief executives/general managers and chief technology officers. Only 54% of CEOs/GMS know about the policies and training systems around online security, compared to 84% of IT staff.
Bartlett says technical staff are generally more confident because they're involved in the design. He believe executives either don't know enough, or they see an inadequate policy.
He believes that disconnect is a problem, because security is everyone's concern.
"It is encouraging that most companies do recognise the necessity for cyber security as a component of their IT and business organisation," Bartlett notes.
"However, there is still work to be done in terms of making this a companywide issue, rather cyber security remaining in the domain of technical staff members. And both small and medium-sized businesses should realise that they are just as much in hackers' crosshairs as their larger counterparts," he says.