Almost all polled large employers in the United States have a cybersecurity policy in place, with required security software and how to back up data being the most important elements of the policy, a recent study from research company Clutch has found.
Released last week, the survey examined the state of cybersecurity among large U.S. companies and how they address both internal and external cybersecurity risk. The survey involved 304 IT decision-makers at companies with 500+ employees; 77% of respondents worked at companies with over 1,000 employees; 70% hold positions above manager level.
The survey found that nearly all large businesses polled (94%) had a cybersecurity policy, with required security software (84%) and how to back up data (81%) the most important elements of these policies, followed by how to detect scams (79%) and how to report security incidents (78%). Among the group that had a cybersecurity policy, 87% created a policy at least three years ago.
As for type of attack, large companies experience phishing attacks (57%) more often than any other form of attack, reporting at least one in the past 12 months. Trojans/malware followed at 47% and password attacks at 37%.
“Our finding that email phishing is the most common security threat is consistent across other research conducted in 2017,” Clutch added in statement, pointing to another survey from the company in May 2017 of 302 website managers which found that email phishing is the most common attack affecting websites.
“Surprisingly, only 21% reported a ransomware attack on their company in the past year,” the statement noted. “The security concern and frequency of ransomware attacks draws an underwhelming comparison to the amount of attention that strand of cybersecurity attack receives.”
In the first half of 2017, multiple global ransomware attacks drew international media coverage. Namely, the global ransomware attack WannaCry affected businesses on six continents (Antarctica miraculously survived unscathed). The next month, another ransomware attack, originating in Ukraine, caused global damages, the statement said. “News coverage of ransomware attacks is positive because it raises awareness about how important it is to have cybersecurity policies in place.”
When asked how company’s implement their cybersecurity policy, 85% said they “communicate policies clearly to all employees,” 79% reported monitoring policy compliance and 77% said they train employees to follow policies. “Businesses implement cybersecurity policies that focus on communication and training more than enforcement,” the statement added. “When companies focus on communication, compliance, and training, they address two central cybersecurity concerns: the evolving cybersecurity threat landscape and internal risk posed by employees.”
Other survey findings included:
Remote work makes using unsecured devices and networks more likely. The study found that 89% of companies allow their employees to work remotely;
Nearly three-fourths (74%) of companies allow their employees to use personal devices for work;
Over half of IT decision-makers (52%) describe the enforcement of their company’s policy as “moderate”;
More than 70% of businesses plan to invest more in cybersecurity over the next year; and
One-third of respondents (33%) say investing in technology, such as security software, secure mobile apps, and other IT services, will improve their cybersecurity policy.