Experts often argue that IT and security leaders should assume their organization has already suffered a security breach. In fact, an “assume breach” posture is a key pillar of Zero Trust approaches. Yet that doesn’t mean they must focus 100% of their efforts on incident response. Prevention should still play an important strategic role in cybersecurity. The best way of achieving this is via cyber hygiene essentials such as patch and configuration management, regular updates and other tactics.
To find out more, Tanium commissioned new research in the UK. We interviewed 300 IT security decision-makers from organizations of 500+ employees. The results backed our hunch: preventative steps can go a long way to minimizing cyber risk by reducing security gaps that the bad guys can exploit.
What we found
The first finding is perhaps the most uncontroversial. Malicious cyber activity is commonplace today. In fact, 92% of respondents admitted they have suffered an attack or data breach — nearly three-quarters (73%) in the past year. The picture is worsening for defenders. Over two-thirds (69%) agreed that threats are increasing, and they expect 2022 to herald the most attacks ever.
Most UK organizations also recognize the damaging impact this can have on their business, citing lost productivity, clients, revenue, and data, as well as financial damage stemming from ransom payments.
Yet here’s the key. Organizations which take a mainly preventative approach to cybersecurity are significantly less likely to have experienced an attack or breach in the past 24 months than those who are more reactive. That’s 79% versus 90%. This makes sense. Organizations can significantly reduce their attack surface by preemptively patching vulnerabilities and keeping endpoint assets correctly configured and updated. It doesn’t make them breach-proof, but by making the bad guys work harder, it can reduce the chances of a successful attack.
So why did 29% of respondents say they still take a mainly reactive approach to security, rising even higher in banking and finance (36%), the public sector (32%) and organizations with 500–999 employees (35%)? After all, most (85%) organizations agreed that it costs more to recover from an incident than to prevent one. And three-quarters (76%) who had experienced an attack or breach admitted that most incidents had been avoidable.
When boards disconnect
Part of the answer may lie with board awareness of cybersecurity. We found that:
- 63% of respondents said leadership are only concerned by cybersecurity following an incident, rising to 78% in banking and finance, and 64% across the public sector
- 79% of respondents agreed that leadership is more likely to sign off budget for cybersecurity when a data breach has recently happened
- 55% claimed that their organization doesn’t have enough staff to focus properly on preventative security measures
The challenge of getting more board-level buy-in for security is nothing new. But this study highlights the potentially damaging impact it can have. If siloed leadership teams are only prepared to stump up for initiatives once incidents have occurred, it will cost their organization dear in the long run. Not only can preventative security reduce the likelihood of costly breaches — it doesn’t necessarily require any additional staff if organizations use the right kind of automated tooling.
Cyber hygiene to the fore
By slotting cyber hygiene best practices into security strategy, organizations in the UK and beyond can build more resilient IT endpoint environments. The good news is that over 40% of respondents to this study said they expect to spend more on endpoint security and other tools over the coming financial year. These could provide the kind of visibility and control over IT assets which are essential to building a successful preventative security posture.
What’s more, over three-quarters (78%) agreed that preventative measures they have put in place are a greater focus for senior leadership now than they were pre-pandemic. If COVID-19 provides the wake-up call boardrooms need to get proactive about cybersecurity, then at least the past two years will have driven some positive change.
Check out the full ‘Cybersecurity: Prevention Is Better than the Cure’ report which includes more interesting findings about the attitudes of IT decision makers towards preventative cybersecurity strategies.