The top 5% of business executives? This seems a little presumptuous? Let me explain. But first, let me share a few statistics with you. Cybercrime keeps accelerating, Security incidents soared 60% in healthcare. The cost of a security incident in healthcare rose by 282%. The cost of security incidents caused downtime of more than 8 hours per incident. Security incidents grew 66% this past year.
Power and utility companies saw an increase of 527%. Reports show that 57% of companies expect attacks to more likely come from the inside. Only 23% of companies report that their organization is doing enough to control insider threats. Now couple this with a quote I have used before from the director of the FBI; “there are only two kinds of companies, the ones that have been hacked by the Chinese and know it, and the ones that have been hacked by the Chinese and don’t know it.” That makes the problem pretty widespread.
What Are We Doing About It?
One in three companies does not have a written IT or Data security policy or procedure. That is the official statistic; I would place that number closer to 60% based on my own experience over many years. Self-reported statistics like 1/3 number above; can be error prone since many people do not want to admit they do not have a security policy. In addition, if you can get someone to actually show you their security policy what you will normally find is the policy is at best incomplete and unusable. The next statistic bears this out. Only 27% of IT departments are confident they are doing enough about IT security. Only 34% of companies have a crisis response plan of any form, in place in the event of a major security event. Over 60% of companies do not have any form of an Identity Access Management policy.
Over 55% of organizations say they are able to identify a sophisticated attack. Basically, hackers are getting better faster more sophisticated, and more numerous than on the cyber defense side. Essentially we are not winning this war. We are losing it, and its costing a bundle. Unfilled Cyber security jobs will hit 1.5 million positions by 2019. Basically, this means you are not going to be able to hire the people you need to fix the problem. Over 200 billion IOT devices will need security protection by 2021.
Where You Stand
This paints a pretty bleak picture. Where do you stand? To draw some logical conclusions from all of these numbers, so we can make some sense of it. The attacks are getting more numerous, and the technology response has been vigorous. And there are some indications that companies are doing a little more than they used to. What we are seeing is some responses for some types of attacks spread out over different companies at different times. But overall it is a case of too little too late. What does this mean? It means there is not enough being done consistently throughout the economy, and through time. So just by being aware of these issues, and changing your mindset, you are placing yourselves in the top 5% of business executives. You are already doing more than most.
Remember the good guys have to be right every time, the bad guys only have to be right once. This translates into a need that should be ubiquitous and consistent over time. What we have is sporadic and inconsistent. Consistency and constancy are things we preach about every day on this blog. To this day in the US there is not any type of overarching consistent security initiative or policy research guide for all of American business. There has been no national response to this overwhelming problem. This means that if you are consistently developing and maintain a strong security posture with leadership from the top. You are a rare breed.
In fact, if you are reading this article you fall within the top 5% of executives in the US that are doing anything about taking a strategic policy approach to security. Harvard business review reports that 40% of US executives admit to not having any clear understanding of cyber security in their organization. Once again I would say it is much higher. If you follow the advice of this blog then you are now in rare company. You would then fall in the top 1% of companies. The upside from this problem is huge. The risks of doing nothing are even bigger. There has never been an opportunity in our time to strive for excellence and have so much to gain and so much to lose if you do nothing.