Intel Security and the Centre for Strategic and International Studies (CSIS) says there’s still a mismatch between IT professionals whose job it is to defend against cyber attacks and the attackers to enact them.
The two companies released a study of 800 security professionals, titled 'Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity’.
The report showed that while 92% of Australian organisations have a cybersecurity strategy, only 42% have fully implemented them.
This is lower than the global average of 93% of organisations having a strategy, with 49% implementing them.
However, the disconnect is pronounced between IT executives and staff; which found that 60% of IT execs think their strategy is fully implemented, compared to only 30% of IT staff.
Intel and CSIS believe the misalignment of success between IT executives and operators as well as between strategy and implementation, are both leaving organisations vulnerable to attacks.
“Cybercriminals have a clear financial incentive for their work and are rewarded for innovation and the sharing of information and workings,” comments Intel Security APAC VP, Daryush Ashjari.
“The price of cybercrime is reason enough to learn from the way cybercriminals work and introduce direct incentives for employees as well as increased transparency within businesses. In turn, this will help to increase responsiveness to cyber attacks and ensure that businesses are as nimble and agile as the criminals they seek to apprehend,” Ashjari continues.
In addition, 56% of those surveyed said their role ‘lacks incentive’, and 60% believe their organisation is more concerned about reputation than security itself. However, 65% are personally motivated to strengthen their organisation’s security.
Non-executives are also more likely to see shortfalls in funding and staffing as barriers to implementing their cybersecurity strategy.
95% of respondents had experienced security breach effects, including loss of IP, disruption of operations, harm to reputation and company brand. However, only 32% report experiencing revenue or profit loss, leading to a false sense of security.
The government sector was least likely to have a fully-implemented cybersecurity strategy (38%).
“It’s easy to come up with a strategy, but execution is tough. How governments and companies address their misaligned incentives will dictate the effectiveness of their cybersecurity programs. It’s not a matter of ‘what’ needs to be done, but rather determining ‘why’ it’s not getting done, and ‘how’ to do it better.” says Denise Zheng, director and senior fellow, technology policy program at CSIS.
As a result, cybercriminals are operating in a ‘dynamic’ marketplace, while organisations are caught up in bureaucratic hierarchies.