Despite growing awareness of the dangers of cyber-attacks, many organisations are loath to adopt a preventative approach – until they’re hit.
New research has found that 90% of high-level managers believe that most cyber-attacks are avoidable with a preventative approach.
In its ‘Cybersecurity: Prevention Is Better than the Cure’ report, Tanium explored reactive versus preventative cybersecurity measures. It surveyed UK-based IT decision makers across a variety of industries including public sector, financial services, healthcare, and retail.
Of its respondents, 92% said they had experienced a breach at some point in the past, 82% within the last 24 months, and 73% in the last 12 months.
However, despite this awareness, the study shows that IT teams neglect to implement preventative cybersecurity measures for reasons such as a shortage of technical skills and budget-allocation delays from boards of directors.
Respondents from 86% of organisations compromised by a breach in the last six months believed that more investment in preventative measures (such as tools or staff training), would have minimised incidents.
According to the research, boards only approve new cybersecurity funding after an incident has occurred.
In 80% of cases, C-suite decision makers believe the risk of cyberthreats is increasing and expect 2022 to be the worst year yet in terms of the number of attacks.
For IT decision makers that experienced a cyber-attack in the last six months, 86% feel that senior leadership is likely to invest in cybersecurity only after suffering an attack; 75% state that “some cybersecurity incidents needed to happen” in order to get increased investment from leadership.
Loss of productivity resulting from downtime is cited as the most damaging impact of a cyber-attack, with 56% of all respondents citing it.
The report warned that preventative approaches are missed opportunities for IT teams.
A total of 68% of respondents believe that a predominantly preventative approach to cybersecurity is best, with a primarily reactive approach being favoured by only 32%.
The skills gap and overwhelmed IT and security teams have caused preventative security measures to take a lower priority. 55% of organisations agree that there is insufficient staff or resources to focus on a preventative security approach to cyber-attacks.
Larger organisations are more likely to adopt a preventative approach, with 70% of firms with 500+ employees citing prevention as preferable. 60% of organisations with 250-499 employees agreed.
85% of all respondents surveyed agreed that there is a greater cost to recover from a cybersecurity incident than to prevent one.
“Many organisations focus too much on cybersecurity point solutions like antivirus, rather than adopting a holistic, data-driven approach to prevention,” said Tanium chief architect for EMEA Oliver Cronk.
“As our research shows, many damaging security incidents – even those resulting from more sophisticated attack vectors – could have been prevented. In fact, more than half of the breaches we see could have been avoided by maintaining baseline cyber-hygiene standards.
“The current situation is the equivalent of leaving your front door and windows open and only locking them after a burglary has taken place,” Cronk added.
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.
- UK bans Chinese CCTV cameras at ‘sensitive’ government locations - 26 November 2022
- Chrome Update: Exploited Zero-Day Vulnerability fixed by Google, the 8th this year - 25 November 2022
- RESEARCH: analytics information related to iPhones include a Directory Services Identifier (DSID) that may be used to identify users - 24 November 2022