Trend Micro research reveals major security gaps and lack of board accountability in many companies
Trend Micro, a global cybersecurity leader, has published research revealing that UK organisations lack sufficient resources and leadership buy-in to measure and mitigate risk across their digital attack surface.
The research, which surveyed 100 UK cybersecurity leaders as part of a global study polled those responsible for cybersecurity in small, medium and large organisations to better understand their attitudes toward attack surface risk management (ASRM).
The top three gaps in cyber-resilience revealed by respondents were:
- Sufficient staffing for 24/7/365 cybersecurity coverage – which just 31% have
- Attack surface management techniques to measure the risk of the attack surface (used by 32%)
- Using proven regulatory and other frameworks like the NIST Cybersecurity Framework (only 34%)
The failure of UK companies to achieve these cybersecurity basics could be traced back to a lack of leadership and accountability at the top of the organisation. Half (48%) of global respondents claimed that their leadership doesn’t consider cybersecurity to be their responsibility. Just 17% disagreed strongly with that statement.
When asked who does or should hold responsibility for mitigating business risk, respondents returned a variety of answers, indicating a lack of clarity on reporting lines. Nearly a third (25%) of UK respondents said the buck stops with organisational IT teams.
This lack of clear direction on cybersecurity strategy may be why over half (54%) of UK respondents complained that their organisation’s attitude to cyber risk is inconsistent and varies from month to month.
Bharat Mistry, Technical Director at Trend Micro, said:“A lack of clear leadership on cybersecurity can have a paralysing effect on an organisation – leading to reactive, piecemeal and erratic decision making. Companies need CISOs to clearly communicate in terms of business risk to engage their boards. Ideally, they should have a single source of truth across the attack surface from which to share updates with the board, continually monitor risk and automatically remediate issues for enhanced cyber-resilience.”
The leadership required to remediate these issues is not present in many organisations. Nearly all (94%) of those surveyed have concerns about their attack surface. Over one-third (36%) are worried about having a way of discovering, assessing and mitigating high-risk areas and 16% aren’t able to work from a single source of truth.
