Have you been impacted by any cyber threats in the last 12 months?

This year’s results give credence to the general sense that cyber threats are a common fixture on the security landscape for many organisations. Around a third of respondents (31%) had been affected by some form of cyber threat over the last 12 months.

Respondents from small organisations were the least likely to have been affected by cyber threats, whilst 40% of respondents from medium and large organisations had experienced some form of impact from cyber threats.

Have you reviewed your policies in response to recent cyber threats?

Respondents from organisations with larger IT teams were significantly more likely to have reviewed their security policies in light of cyber threats.

Levels of proactive review were generally good, with almost two-thirds of respondents having examined their security policies in response to cyber threats. Even among organisations with smaller IT teams, almost half of respondents had reviewed their security policies, which is an encouraging level of engagement with a risk that might seem abstract or irrelevant at smaller sizes.

Have you invested in safeguards in the last 12 months in response to threats?

Over half of respondents from small organisations had not invested in any safeguards in response to new cyber threats. Respondents from large organisations fared better, with just under half performing ongoing employee awareness training. Given unwitting employees are often the largest element of the attack surface for most organisations, ongoing cyber awareness training is one of the most effective security measures.

Rates of certification to cyber awareness frameworks were low across all respondents.

Do you have concerns about what the Internet of Things (IoT) will mean for information security?

Attitudes around what the Internet of Things might mean for information security seem quietly cautious, with the majority of respondents across all sizes of organisation and IT team refusing to take a strong position.

It wouldn’t be unreasonable to expect the majority of respondents answering “Yes, I am somewhat concerned” is more a symptom of exposure to press coverage than independent risk assessment.