Survey Name: CyberSecurity: The Human Challenge
Survey Size: 5000 IT Managers across 26 countries
Survey Date: October 2020
Discussed on 10/22/2020 Episode
Outsourcing IT Security is rising fast, currently 65% of a recent Sophos survey reported that some or all of their IT Security efforts have been outsourced. This is expected to rise to 72% by 2022 as we see the percentage of organizations that exclusively use in-house staffing will drop from 34% to 26%. In addition, IT Managers whose organizations were hit by ransomware are nearly three times more likely to feel ‘significantly behind’ on cyberthreats than those that weren’t.
With how quickly the cyber security threats and landscape is evolving and changing, it is promising to see more and more people trust these outsourced options to stay on top of their security needs. It is critical to remember that not all outsourced options are good choices, and in my experience, I have heard many shops advertise themselves as Cyber Security focused but when you dig into it, they are far from it.
The same Sophos survey found that 29% of organizations hit by ransomware in the last year allowed five or more suppliers to connect directly to their network, compared to just 13% of those that did not fall victim to ransomware.
Promising notes are only 22% of IT Teams admit to taking over a week to apply desktop patches, whereas 77% reported patching of desktops and servers within a week of the patch release. On average IT Teams are dedicating nearly half of their time, 45%, to prevention of cyber attacks, 30% of detection, and 25% on response.
This is a good sign as more and more organizations are understanding the value of being proactive versus reactive to cyber security threats, and matches as organizations that had fallen victim to ransomware put more focus on detection and response than those that hadn’t. Meanwhile 51% of the survey respondents admitted that their organization had been hit by ransomware in the last 12 months.
These numbers don’t surprise me, and match what I am seeing in trends and a lot of what I have been advising businesses and MSPs since early this year. Every organization needs to start putting more attention on the proactive and being prepared for when an attack happens, and hope it never does, versus not being prepared and caught off guard when it does happen.