BEDFORD, Mass., June 14, 2016 /PRNewswire/ --
STORY HIGHLIGHTS
- For the second straight year, 75% of survey respondents have a
significant cybersecurity risk exposure
- Organizations that report more business-impacting security
incidents are 65% more likely to have advanced cyber maturity
capabilities
- Half of those surveyed assess their incident response
capabilities as either "ad hoc" or "nonexistent"
- Less mature Organizations continue to mistakenly implement more
perimeter technologies as a stop gap measure to prevent incidents
from occurring
- Government and Energy ranked lowest among industries in cyber
preparedness
- American entities continue to rank themselves behind both APJ
and EMEA in overall cyber maturity
Today, RSA, The Security Division of EMC (NYSE: EMC), released
data demonstrating that organizations that invest in detection and
response technologies, rather than perimeter-based solutions, are
better poised to defend against cyber incidents. The second annual
RSA Cybersecurity Poverty Index, which compiles survey results from
878 respondents across 81 countries and more than 24 industries,
attracted more than double the number of respondents as last year,
and gave participants the chance to self-assess the maturity of
their cybersecurity programs leveraging the NIST Cybersecurity
Framework (CSF) as the measuring stick. The report found that for
the second year in a row, 75% of survey respondents have a
significant cybersecurity risk exposure. Incident Response (IR)
capabilities are particularly underdeveloped. Nearly half of
organizations characterized essential IR capabilities as "ad hoc"
or "non-existent", but organizations are more likely to accelerate
programs to shore up cybersecurity capabilities once they have
experienced a security incident that impacted the business. The
survey also showed that most organizations continue to struggle to
improve cybersecurity because they don't understand how cyber risk
can impact their operations.
There has been plenty of anecdotal evidence that companies tend
to delay investments in cybersecurity until they experience the
pain first hand. In addition, companies which primarily rely on a
perimeter defense philosophy are disadvantaged in finding malicious
activity, and risk public exposure of critical business assets. The
results of the RSA Cybersecurity Poverty Index solidified this
concept, reporting that the organizations that detect and
experience frequent security incidents are 65% more likely to have
developed or advantaged capabilities. This shows that organizations
that regularly deal with security incidents accelerate moves to
shore up security programs and end up with more mature
capabilities. Organizations must focus on executing preventative
strategies and make improving this a priority over other
capabilities which are growing in importance such as detection and
response.
One of the most significant changes from the 2015 survey was the
increase in the number of organizations with mature cybersecurity
programs. The percentage of organizations reporting advantaged
capabilities – the highest category – increased by more than half
over the prior Index, from 4.9% to 7.4%. But organizations' overall
perception of their cybersecurity preparedness continued to lag.
The number of respondents reporting significant cybersecurity risk
exposure stayed steady at nearly 75%, reflecting a growing
disparity between the "haves and have-nots" in security
preparedness.
The survey also showed that organizations continue to struggle
with their ability to take proactive steps to improve their
cybersecurity and risk posture. Overall, 45% of those surveyed
described their ability to catalog, assess and mitigate cyber risk
as "non-existent," or "ad hoc" and only 24% reported that they are
mature in this domain. The inability to quantify their Cyber Risk
Appetite (the risks they face and the potential impacts on their
organizations) makes it difficult to prioritize mitigation and
investment, a foundational activity for any organization looking to
improve their security and risk posture.
For the second year, the survey results highlight how critical
infrastructure operators, the original target audience for the CSF,
need to make significant steps forward in their current levels of
maturity. Government and energy organizations ranked lowest across
industries in the survey, with only 18% of respondents ranking as
developed or advantaged. Organizations in the aerospace and defense
industry reported by far the highest level of maturity with 39% of
respondents having developed or advantaged capabilities. Financial
Services organizations, a sector often cited as industry-leading
due to the large volume of cyberattacks it faces, placed in between
with 26% rating their firms as well prepared – down from 33% `a
year ago.
The reported maturity of organizations in the Americas continued
to rank behind both EMEA and APJ. Organizations in EMEA reported
the most mature security strategies with 29% ranked as developed or
advantaged in overall maturity while only 26% of organizations in
APJ and 23% of organizations in the Americas rated as developed or
advantaged. EMEA overtook APJ for the top ranking, moving up 3
percentage points while APJ dropped 13
points.
Methodology
To assess cybersecurity maturity, respondents self-assessed
their capabilities against the CSF, which designed to provide
guidance based on existing standards, guidelines and practices for
reducing cyber risks, and was created through collaboration between
industry and government. While the CSF was initially developed in
the United States with the aim of
helping to reduce cyber risks to critical infrastructure,
organizations worldwide have found it to be a prioritized,
flexible, repeatable and cost-effective approach for managing cyber
risk. Thus, it serves as an excellent baseline to assess any
organization's core cybersecurity and cyber risk management
capabilities.
Organizations rated their own capabilities in the five key
functions outlined by the CSF: Identify, Protect, Detect, Respond,
and Recover. Ratings used a 5-point scale, with 1 signifying that
the organization had no capability in a given area, and 5
indicating that it had highly mature practices in the area.
EXECUTIVE QUOTE:
Amit Yoran, President, RSA,
The Security Division of EMC
"This second round of
cybersecurity research provides tangible evidence that
organizations of all sizes, in all industries and from all
geographies feel unprepared for the threats they are facing. We
need to change the way we are thinking about security, to focus on
more than just prevention – to develop a strategy that emphasizes
detection and response. Organizations need to set their agendas
early, build comprehensive strategies and not wait for a breach to
force them into action."
ADDITIONAL RESOURCES:
- Download the RSA Cybersecurity Poverty Index eBook providing
valuable insights into organizations' cyber security maturity
- Take the same Cybersecurity Maturity Assessment that was used
for the RSA Cybersecurity Poverty Index to determine your own
organization's maturity
- View the RSA Cybersecurity Poverty Index Infographic
- Download RSA's Cyber Risk Appetite whitepaper
- Hear President, Amit Yoran and
Vice President and GM of RSA's Global Public Sector,
Mike Brown discuss results from the
RSA Cybersecurity Poverty Index
- Connect with RSA via Twitter, Facebook, YouTube, LinkedIn and
the RSA Speaking of Security Blog and Podcast
ABOUT RSA
RSA provides more than 30,000 customers
around the world with the essential security capabilities to
protect their most valuable assets from cyber threats. With
RSA's award-winning products, organizations effectively detect,
investigate, and respond to advanced attacks; confirm and manage
identities; and ultimately, reduce IP theft, fraud, and cybercrime.
For more information, go to www.rsa.com.
This release contains "forward-looking statements" as defined
under the Federal Securities Laws. Actual results could
differ materially from those projected in the forward-looking
statements as a result of certain risk factors, including but not
limited to: (i) risks associated with the proposed acquisition of
EMC by Denali Holdings, Inc., the parent company of Dell, Inc.,
including, among others, assumptions related to the ability to
close the acquisition, the expected closing date and its
anticipated costs and benefits; (ii) adverse changes in general
economic or market conditions; (iii) delays or reductions in
information technology spending; (iv) the relative and varying
rates of product price and component cost declines and the volume
and mixture of product and services revenues; (v) competitive
factors, including but not limited to pricing pressures and new
product introductions; (vi) component and product quality and
availability; (vii) fluctuations in VMware, Inc.'s operating
results and risks associated with trading of VMware stock; (viii)
the transition to new products, the uncertainty of customer
acceptance of new product offerings and rapid technological and
market change; (ix) risks associated with managing the growth of
our business, including risks associated with acquisitions and
investments and the challenges and costs of integration,
restructuring and achieving anticipated synergies; (x) the ability
to attract and retain highly qualified employees; (xi)
insufficient, excess or obsolete inventory; (xii) fluctuating
currency exchange rates; (xiii) threats and other disruptions to
our secure data centers or networks; (xiv) our ability to protect
our proprietary technology; (xv) war or acts of terrorism; and
(xvi) other one-time events and other important factors disclosed
previously and from time to time in the filings of EMC, the parent
company of RSA, with the U.S. Securities and Exchange
Commission. EMC and RSA disclaim any obligation to update any
such forward-looking statements after the date of this
release.
To view the original version on PR Newswire,
visit:http://www.prnewswire.com/news-releases/rsa-research-75-of-organizations-are-at-significant-risk-of-cyber-incidents-300284168.html
SOURCE RSA