Despite the increased awareness concerning IT security threats, a new survey from the United Kingdom suggests far too many organizations still don’t have anything approaching a formal IT security strategy.
Three-fifths (57 percent) of the respondents to a survey conducted by the University of Portsmouth have attempted to identify cybersecurity risks to their organization using, for example, health checks and risk assessments. But, the survey also highlights that a sizable number of those businesses still do not have basic IT security protections place.
Just under half (46 percent) of all UK businesses surveyed identified at least one cybersecurity breach or attack in the past 12 months. Over a third (37 percent) reported being breached once in the past year, but the same proportion of respondents say they were breached at least once a month, with 13 percent admitting that breaches were occurring daily. But only a quarter (26 percent) reported their most disruptive breach externally to anyone other than a cybersecurity provider.
Only three in five (58 percent) businesses have sought information, advice, or guidance in the past year concerning the cybersecurity threats their organizations face. The top sources of information mentioned in the survey are external security or IT consultants (32 percent) and online searches (10 percent).
Cybersecurity challenges and concerns
The good news is the majority of the businesses (67 percent) have spent money on their cyber security, and half of the respondents (52 percent) have enacted basic technical controls. Just under a third of the respondents (29 percent) say they have made specific board members responsible for cyber security.
There’s still much work to be done, though. Less than two-fifths of the businesses surveyed have segregated wireless networks or implemented any rules around encryption of personal data (37 percent in each case). A third have a formal policy that covers cybersecurity risks (33 percent), or document these risks in business continuity plans, internal audits, or risk registers (32 percent). Only about one in 10 respondents (11 percent) have a cybersecurity incident management plan in place.
Employee training is another concern. Only a fifth (20 percent) of businesses have had staff attend any form of cybersecurity training in the past 12 months, with non-specialist staff being especially unlikely to have attended this type of training. And yet, the most common types of breaches are related to staff receiving fraudulent emails (72 percent), followed by viruses, spyware, and malware (33 percent), people impersonating the organization in emails or online (27 percent) and ransomware (17 percent).
Security opportunities for MSPs
Collectively, all this data indicates that the market for IT security services is far from being saturated. There’s still a significant amount of organizations that are essentially clueless when it comes to IT security. The challenge MSPs face is that many of these organizations are not even savvy enough to recognize the scope of the challenge they face without being prompted. That means it’s unlikely they are going to contact an MSP of their own accord. So, it’s incumbent on the MSP to put a marketing and sales plan together to establish that first level of contact.
Unfortunately, a large percentage of the MSP community remains challenged when it comes to marketing. The end result being there’s a massive pool of IT security knowledge available to IT organizations that never winds up being tapped due to a failure to communicate .