Only 15% of companies are prepared for cyberattacks in a hybrid world, study finds

Always be prepared—or, at least be prepared more than 15% of the time.

That’s a tall order when it comes to cybersecurity preparedness, according to a new study from Cisco that found a staggering 85% of 6,700 global security practitioners say their companies do not have a cybersecurity posture robust enough to defend against risks relating to hybrid work.

Tom Gillis, SVP of Cisco’s security business group, told IT Brew that the survey looked at companies of varying sizes and capacities. The answers were largely uniform—indicating that a lack of preparedness is an issue across the industry.

“The takeaway is that 85% of the respondents said they’re not not quite right, still super exposed,” Gillis said. “Almost everybody.”

The study judged companies on their stages of readiness, termed as beginner, formative, progressive, and mature. Only 15% of companies surveyed reached the mature level of cybersecurity readiness.

Reality bites. Being unprepared is more than an abstract worry. Around 60% of respondents also reported that they had experienced a breach in the last 12 months, with 41% saying they had suffered an incident that cost their company $500,000 or more.

In Gillis’s view, that means taking the fight across platforms and to internal and external sources. Vendors need to be addressed as much as staff, he told IT Brew.

“The name of the game is no longer, ‘I can look really, really deeply in one narrow domain,’” Gillis said. “The game has now shifted to, ‘I’ve got to look as deeply as I possibly can across four or five domains’—and that is going to involve a lot of vendor cooperation.”

Code42 CISO Jadee Hanson told IT Brew that she sees security as something on which most companies are still playing catch up. There’s a plethora of challenges that aren't easily met—including insider risk—mostly due to the rapidly changing nature of the industry.

“We’re seeing cybersecurity have a very different weight of importance in organizations, but we still are catching up to where it should be,” Hanson said.

Going through changes. Part of the problem for companies and organizations struggling with cybersecurity is that the industry is changing more quickly than most IT teams can keep up with. Corporate and regulatory controls present hurdles to moving fast, even as they provide teams with a better product overall than cyberattackers.

“They don’t have the same level of rigor that we might as reputable organizations, and so it allows them to move a lot quicker and to take a lot more risks,” Hanson said. “That sometimes pays out for them.”

A recent Code42 report on the dangers to companies and organizations from insider risk found that the danger from internal sources is growing. It’s part of a threat landscape that’s left Hanson nervous. She doesn’t think things are anywhere near “good,” she told IT Brew. And there are unanswered questions about attacks that worry her.

“There’s a lot of scary things happening that we don’t fully understand, the long game of some of the attacks that we’re seeing—when somebody attacks a supply chain company, you have the attack, you mitigate the attack, you follow up, and you close,” she said. “But what really was the intent of that?”—EH