Experts vs Novices

In a recent report by Hiscox, 5,569 professionals responsible for their organization’s cyber security strategy were surveyed. Of which, 59% were from companies with less than 250 employees (SMBs).

In terms of cyber readiness, 64% of the respondents were considered novice while 18% were considered experts. Overall, the experts did much better in fighting against cyber threats than the novices. In fact, the novices were three times more likely to suffer a breach than the experts, with a median figure of 30 per firm compared with nine for the experts.

One of the more striking findings is that almost one in five of the novices that suffered a cyber event found themselves paying a ransom. Smaller, more vulnerable firms are likely to be in the firing line and the less well prepared are clearly paying the price.

Most appear to have achieved their expert status by taking cyber security seriously. Analysis shows the experts all took the following actions:

  • Engaged actively in cyber awareness training.
  • Deployed anti-virus or anti-malware systems consistently across the organization.
  • Made decisions based on clearly defined business needs or cyber security tolerances.

When taking a deeper dive into their security practices, the following five tips were recommended to achieve the expert status.

1. Do the basics well.

Identify every device in the organization. Back data up off-site and learn from each incident or breach. Experts are more likely to up their game following a breach through regular security evaluation, ensuring additional security and audit requirements are in place and increasing crisis management.

2. Follow a framework.

Make sure that all the virtual doors and windows are shut. A framework such as the one created by the US National Institute of Standards and Technology (NIST) built around five core tenets – identify, protect, detect, respond and recover – provides a useful checklist. On average, experts pursue twice as many initiatives in all five core tenets as novices.

3. Don’t penny pinch.

Cyber experts direct a larger proportion of their IT budgets to cyber security and more of them plan to lift spending in every cyber related area in the year ahead. In simple terms: the more resources a company devotes to cyber security, the more likely it is to rank as an expert.

4. Get management involved.

Nine out of ten experts agree that cyber security is a top priority for executive management. Only half of novices feel able to say the same. When it comes to priorities for the coming year, only a quarter of the SMBs ranked as novices recognized the need to enhance executive management engagement in cyber security policies.

5. Invest in training.

Novices suffered more breaches resulting from successful phishing and malware attacks. Regular training to drive awareness throughout the workforce is vital. This is only partly an issue of resources. Nearly three quarters of the SMBs ranked as experts intend to prioritize the roll-out of effective employee awareness training in the coming year.

Building resilience

No business will ever be completely secure. But all can build resilience by preparing for a breach, testing for it and having the capability to respond quickly and effectively.