IT Governance’s 2019 Cyber Resilience Report reveals major data protection weaknesses

Anti-malware technology is one of the most basic cyber security mechanisms that organisations should have in place, but according to IT Governance’s 2019 Cyber Resilience Report, 27% of respondents haven’t implemented such measures.

This finding is even more surprising given that our customer base is naturally more knowledgeable about information security than the average organisation. Our results represent the most optimistic assessment of organisations’ cyber resilience, so the chances are things are even worse in the wider world.

Anti-malware technology isn’t the only area where organisations are neglecting essential cyber security measures. The report also found that:

  • 43% of organisations don’t have a formal information security management programme.

An information security management plan provides a comprehensive assessment of the way an organisation addresses data protection risks. It ensures that preventative measures are appropriate to the scale of the risk and that every necessary precaution is being taken.

Organisations that lack a formal plan will be tackling security measures piecemeal, if at all.

  • 33% of organisations don’t have documents that state how they plan to protect their physical and information assets.

Without documented plans, it’s impossible to track whether they work and what adjustments are necessary. More to the point, it’s possible that the organisation has no plans in place at all, exposing them to myriad threats.

  • 30% haven’t implemented identity and access controls.

Sensitive information should only be available to those who need it to perform their job, otherwise you run the risk of someone in the organisation using it for malicious purposes.

In some cases, an unauthorised person simply viewing the information is a serious privacy breach. You wouldn’t want everyone at an organisation being able to look at your medical information or political affiliations, for example. That’s why it’s essential to implement controls that ensure that only approved employees can access certain information.

Where do these figures come from?

The report has its origins in our Cyber Resilience Framework, which we developed last year to help organisations improve their ability to prevent security incidents and respond when disaster strikes.

Alan Calder, the founder and executive chairman of IT Governance, said: “Attackers use cheap, freely available tools that are developed as soon as a new vulnerability is identified, producing ever more complex threats, so it is evident that, in the current landscape, total cyber security is unachievable.

“An effective cyber resilience strategy is therefore the answer, helping organisations prevent, prepare for and respond to cyber attacks, and ensure they are not only managing their risks but also minimising the business impact.”

As part of the framework, we offered a self-assessment questionnaire, which helped organisations see how their existing measures compared to the framework and how much work was necessary to achieve cyber resilience.

We collated the results of the self-assessment to create this report, which provides a broader insight into how organisations are addressing cyber security risks and which threats are most commonly overlooked.

How does your organisation compare?

Download the report for free from our website to see the survey results in full and guidance on where organisations are going right and wrong.

If you’d like to know how your organisation compares to the survey’s respondents, our self-assessment questionnaire is still available.

CR report