Have you been impacted by any cyber threats in the last 12 months?
This year’s results give credence to the general sense that cyber threats are a common fixture on the security landscape for many organisations. Around a third of respondents (31%) had been affected by some form of cyber threat over the last 12 months.
Respondents from small organisations were the least likely to have been affected by cyber threats, whilst 40% of respondents from medium and large organisations had experienced some form of impact from cyber threats.
Have you reviewed your policies in response to recent cyber threats?
Respondents from organisations with larger IT teams were significantly more likely to have reviewed their security policies in light of cyber threats.
Levels of proactive review were generally good, with almost two-thirds of respondents having examined their security policies in response to cyber threats. Even among organisations with smaller IT teams, almost half of respondents had reviewed their security policies, which is an encouraging level of engagement with a risk that might seem abstract or irrelevant at smaller sizes.
Have you invested in safeguards in the last 12 months in response to threats?
Over half of respondents from small organisations had not invested in any safeguards in response to new cyber threats. Respondents from large organisations fared better, with just under half performing ongoing employee awareness training. Given unwitting employees are often the largest element of the attack surface for most organisations, ongoing cyber awareness training is one of the most effective security measures.
Rates of certification to cyber security frameworks were low across all respondents.
Do you have concerns about what the Internet of Things (IoT) will mean for information security?
Attitudes around what the Internet of Things might mean for information security seem quietly cautious, with the majority of respondents across all sizes of organisation and IT team refusing to take a strong position.
It wouldn’t be unreasonable to expect the majority of respondents answering “Yes, I am somewhat concerned” is more a symptom of exposure to press coverage than independent risk assessment.
Has your organisation put any policies in place specifically to protect against IoT threats?
Less than a third of respondents had translated those concerns about the IoT into actionable policies that specifically address IoT threats.
The only group making significant progress towards specific IoT security policies was respondents from larger organisations, with just over two-fifths responding positively.
Have you evaluated your continuity risks for cloud services compared with on-premise IT?
Of the respondents that used cloud services, just over two thirds had either already factored in the associated continuity risks to their existing plans, or were intending to over the next 12 months.
Split by size, respondents from smaller organisations were significantly more likely to use cloud services without any intention of considering how their risks changed versus using on-premise IT services.
Do you use any additional backup or recovery capabilities for cloud-based IT systems beyond the default?
Of the respondents that use cloud-based IT systems, just 17% allocated no extra backup or recovery capabilities than those provisioned by their cloud service providers.
However, over two-thirds of respondents from small organisations allocate no additional backup or recovery capabilities, and may be exposing themselves to unnecessary risk by relying on default capabilities delivered by the provider.
Do you have any concerns about how the forthcoming changes to UK data protection regulations (namely, the introduction of the GDPR in May 2018) will impact your IT operations?
Concerns about GDPR were consistent between organisational size and IT team size, which is to say the majority of respondents either aren’t sure about how GDPR will affect their organisation, or they’re not concerned about possible changes.
These responses are consistent with the lack of clear direction many organisations are grappling with under the new regulations.
Have you put any additional measures in place ahead of the introduction of the GDPR in May 2018?
Although there was little consensus over what GDPR would mean for organisations, close to half of the respondents have either already put additional measures in place to address anticipated challenges, or are planning to over the next 12 months.