Businesses take differing approaches to counter cybersecurity threats, survey finds

Businesses take differing approaches to counter cybersecurity threats, survey finds

New E.U. data privacy regs could affect all online businesses 

Most businesses remain vulnerable to cybersecurity threats, as online attacks continue to grow.

That’s a conclusion from Grand Rapids-based information technology service provider US Signal Co. LLC, which surveyed I.T. professionals across the country and determined more than 80 percent of them thought cybersecurity challenges grew in the past year.

Four in 10 survey respondents reported at least one security incident during the last year and nearly 13 percent couldn’t even say if they had experienced a problem.

The survey results show that many companies, even after several high-profile incidents, need to “reinforce their security postures by educating employees about vulnerabilities,” said Trevor Bidle, data protection officer and information security and compliance officer at US Signal.

Findings in the survey affirm several issues US Signal has identified in working with customers, said Matt VanderZwaag, the company’s director of product development.

In the February survey of 120 I.T. professionals from a cross-section of economic sectors, respondents’ top security concerns included email threats such as ransomware, malware and phishing; ensuring companies keep up with security patches and software updates; and the use of legacy I.T. systems that have little or no security updates available.

The results also indicate that some respondents have a hard time keeping up with all of the emerging threats, VanderZwaag said.

“The big thing that comes around is always having to do with patching and updating operating systems. We deal with customers all across the board. Whether it’s a legacy system or new, the issue always seems to be the same, that it’s difficult to keep things updated,” he said. “Cyber (threats are) only growing and becoming more sophisticated.”

Six in 10 clients stay on top of threats by having a small internal I.T. team, and about half work with a third-party service provider. Nearly 30 percent of respondents had a dedicated cybersecurity team, and one in five said they invest heavily in technology.

About 4 percent of respondents answered “we don’t” when asked how they keep up with emerging cyber threats.

GROWING CONCERN

VanderZwaag advises businesses to have staff members who focus on cybersecurity “day in and day out” to keep up with threats and new technologies. The 13 percent of respondents that did not know if they had experienced an attack in the last year were “one of the resounding things that stand out” in the survey results.

“Organizations, by and large, are in a very rough spot when it comes to security. It’s kind of sad to see that a number of people, 13 percent, if they say they don’t know if they’ve had any issues, that’s an issue,” he said. “You should at least know if you have or have not. That means that as an organization, security is a very low priority for them and that’s just not a good thing to have. You have to keep your finger on the pulse because … you have to be ahead of that to keep it from happening.”

The ramifications that come from some kind of breach — such as a ransomware attack, where a cybercriminal hacks into a company’s system, encrypts its data, and then demands payment to release it — can prove costly given the disruption to the business, lost revenue and liability.

A 2017 report by IBM Security and the Traverse City-based Ponemon Institute placed the average cost of a data breach for a U.S. business at $7.35 million. That’s the highest among 13 nations where IBM and the Ponemon Institute interviewed more than 1,900 people at 419 companies that experienced a breach.

The annual study said that nearly half of all breaches were the result of malicious criminal attacks. Many more occur from negligence or human error in which an employee inadvertently clicks on a link in an email, for example, and unknowingly spreads an attack throughout the company, VanderZwaag said.

Companies need to regularly train employees about how to identify emails that are phishing, malware or ransomware attacks, he added.

EU REGS TAKE EFFECT

Elsewhere in the US Signal survey, about one-third of organizations believe they spend the right amount annually on cybersecurity, and another one-third said they need to spend more.

Nearly half of the respondents at the time were either unsure if a new regulation by the European Union affects their company or whether they would have to comply when it took effect on May 25.

Designed to protect user data and privacy, the General Data Protection Regulation affects any company that does business or sells to customers in Europe, said attorney Hal Ostrow of the Grand Rapids law firm Rhoades McKee PC. The regulation essentially gives end users more rights over personal data stored in systems with which they interact.

To comply, affected companies need to make sure their privacy policies and terms of service are up to date so users know what personal data has been stored. Companies must give users the ability to download their data and the right to opt to have their data stored, Ostrow said.

The regulation potentially could affect any business that interacts with users online, Ostrow said.

Potential penalties for violating the regulation are steep: 20 million Euros, or the equivalent of $23.5 million in the U.S., or 4 percent of worldwide revenue, whichever is higher. That’s an amount Ostrow calls an “exorbitant and crippling fine” for many businesses.

“I don’t know of too many clients that can write that check,” Ostrow said. “What you need to be doing is making sure your terms of service or terms of use and privacy policies comply with this, and not just the words that the users scroll through and click, but also the actions your business takes behind the scenes and to be consistent with those policies.”