Boring’s Not So Boring
Humans & cybersecurity practices
Based on a comprehensive survey of 5,000 IT managers across 26 countries, Cybersecurity: The Human Challenge provides brand new insights into the state of cybersecurity skills and resources across the globe.
It reveals the realities facing IT teams when it comes to the human-led delivery of cybersecurity, and explores how organizations are responding to the skills challenges they face.
The study also exposes unique insights into the relationship between an organization falling victim to ransomware and their day-to-day cybersecurity practices.
IT teams are showing progress in many battles
- IT teams are on top of patching. Three-quarters of IT teams apply patches to desktops, servers, applications, and internet-facing assets within a week of release. Servers and internet-facing assets are patched most quickly, with 39% of respondents patching them within 24 hours.
- Prevention is prioritized. On average, IT teams dedicate nearly half their time (45%) to prevention. After that, 30% of time is spent on detection and the remaining 25% is spent on response.
- IT managers are keeping up to date with cybersecurity. The majority (72%) say that they and their teams are up to date with or ahead of cybersecurity threats. Just 11% think they are significantly behind.
Improving cybersecurity requires people – who are in short supply
- There is an urgent need for human-led threat hunting. Forty-eight percent of respondents have already incorporated human-led threat hunts in their security procedures and a further 48% plan to implement them within a year.
- The cybersecurity skills shortage is directly implementing protection. Over a quarter (27%) of managers said their ability to find and retain skilled IT security professionals is the single biggest challenge to their ability to deliver IT security, while 54% say it is a major challenge.
Organizations are changing the ways they deliver security
- Improving operational efficiency is a key priority. Four in ten (39%) respondents said that improving operational efficiency and scalability is one of their biggest priorities for the IT team this year.
- Outsourcing IT security is rising fast. Currently, 65% outsource some or all of their IT security efforts. This is set to rise to 72% by 2022. The percentage of organizations that exclusively uses in-house staffing will drop from 34% to 26%.
Ransomware victims display different behaviors and attitudes than those who haven’t been hit
- Ransomware victims are more exposed to infection from third parties. Twenty-nine percent of organizations hit by ransomware in the last year allow five or more suppliers to connect directly to their network – compared to just 13% for those that weren’t hit.
- Ransomware damages professional confidence. IT managers whose organizations were hit by ransomware are nearly three times as likely to feel “significantly behind” on cyberthreats than those that weren’t (17% vs. 6%).
- Being hit accelerates implementation of human-led threat hunting. Forty-three percent of ransomware victims plan to implement human-led hunting within six months, compared to 33% for those that didn’t suffer an attack.
- Victims have learned the importance of skilled security professionals. More than one-third (35%) of ransomware victims said recruiting and retaining skilled IT security professionals is their single biggest challenge when it comes to cybersecurity, compared to just 19% who hadn’t been hit.
Download the full PDF report for more findings, including results for each of the 26 countries surveyed.
About the survey
Sophos commissioned specialist research house Vanson Bourne to survey 5,000 IT managers during January and February 2020. Sophos had no role in the selection of respondents and all responses were provided anonymously.
Respondents came from 26 countries across six continents: Australia, Belgium, Brazil, Canada, China, Colombia, Czech Republic, France, Germany, India, Italy, Japan, Malaysia, Mexico, the Netherlands, Nigeria, the Philippines, Poland, Singapore, South Africa, Spain, Sweden, Turkey, UAE, the UK, and the US.
Fifty percent of respondents were from organizations of between 100 and 1,000 employees, and 50% were from organizations of between 1,001 and 5,000 employees. Respondents came from a range of sectors, both public and private.