Despite highly publicized data breaches and the attention given to privacy regulations like the E.U.'s GDPR, many organizations still have work to do to improve their security, according to the latest research from QuinStreet's eSecurityPlanet website.
The most prominent finding in eSecurityPlanet's 2019 State of IT Security survey is that one-third of the survey respondents felt their organization was largely unprepared for a cybersecurity attack. But there are a number of other findings from the survey that can help marketers better understand the current state of the security space, including:
- Survey respondents have the most confidence in trusted, proven security technologies
- Newer, more proactive tools and techniques for cyberdefense are under-utilized
- It is very difficult to unseat an incumbent vendor in the security market.
We'll explore these findings in more detail below.
Small Businesses Represent an Opportunity
When cybercriminals scan the Internet for opportunities to penetrate networks and steal data, they rarely care whose data it is. The survey found, unsurprisingly, that security readiness favors larger organizations.
- Only 15 percent of organizations with 10,000 or more employees indicate they infrequently or never conduct penetration testing
- 60 percent of companies with 100 or fewer employees indicate they don't conduct penetration testing frequently, if ever.
- 51 percent of large organizations engage in threat hunting at least once a year
- 40 percent of organizations with 100 or fewer employees engage in threat hunting at least once a year
Vendors that can deliver security peace of mind while meeting the price point and usability requirements of small businesses will find a market in organizations that lack the resources and expertise of large corporations.
Businesses Doubt Their Defenses against Well-Known Attacks
A number of attack methods are highly publicized, but awareness of threats doesn't always translate into confidence that an organization can defend against them. Respondents to eSecurityPlanet's survey said they were "Maybe Prepared" or "Not Prepared" to defend against a number of well-known threats.
|Threat|| "Maybe Prepared"|
or "Not Prepared"
| Advanced Persistent Threats|
The data suggests that there's a potentially significant difference between understanding what a threat is and how it can harm an organization, and the tools and tactics that are available to prevent such a threat.
Some Security Tools are Under-Utilized
For a number of years, cybersecurity tools were largely passive, defensive measures that worked like locks to prevent unauthorized access to machines or networks. More proactive tools now exist to help organization simulate attacks and test their defenses. There are also tools to help actively hunt threats. Many organizations fail to use these approaches as part of their cyberdefense strategy, the survey found.
- 50 percent of organizations say they infrequently or never conduct threat-hunting exercises
- Nearly half (48 percent) of the surveyed organizations say they infrequently or never use Breach and Attack Simulation (BAS) software
- 39 percent or organizations say they very infrequently or never use penetration testing
Proven, Reliable Security Solutions Are Most Trusted
The cybersecurity technologies that generated the most confidence among the 2019 survey respondents reads like a list of trusted, proven solutions.
Which Products Are You Most Confident In?
|Network Access Control||25.6%|
|Host Intrusion Detection||18.2%|
|Intrusion Prevention/Intrusion Detection||15.7%|
|Data Loss Prevention (DLP)||14.0%|
Respondents picked up to three; top 10 are shown.
Businesses Feel Good about Compliance Requirements
Thanks to the attention paid to the E.U.'s GDPR regulations in the past year, compliance became a popular topic in the IT industry, just as it did in the early 2000s when Sarbanes-Oxley debuted after highly publicized accounting scandals.
The survey found that more than 76 percent of respondents said they are either Somewhat Confident (44.9 percent) or Very Confident (31.4 percent) that their organization is properly meeting all its compliance requirements.
Tools specifically developed to aid compliance efforts, such as Governance, Risk and Compliance (GRC) solutions, don't seem to be the reason for the optimism, however. Only about 21 percent of respondents have or plan to purchase GRC tools in the next 12 months, a potential weak spot for compliance efforts.
Instead, Data Loss Prevention (DLP) tools, which focus on protecting sensitive information, are gaining in popularity. About 35 percent of organizations have DLP tools, and another 21 percent plan to add them in the next 12 months.
Bakeoffs are Popular; Changing Vendors is Not
The respondents to the survey are not afraid to try new products from new vendors. In fact, 60 percent of the respondents have conducted bakeoffs to try new vendors and technologies. But as a testament to how difficult it is to unseat established vendors and technologies when it comes to cybersecurity, only 6 percent of respondents said they have ever switched to a new vendor or technology as a result of a bakeoff.
Read more about eSecurityPlanet's 2019 State of IT Security survey: