Regulatory Compliance Requirements Invite Cyberattacks, Study Says
One in four organizations were hit by a cybersecurity attack last year, a new study found.
Dig a little deeper and you find, according to the Hornet Security data, that organizations regulated by compliance requirements characteristic of certain industries are more likely to be experience a cyber attack, according to the study.
Compliance Compounds Cyber Crime
The Hornet survey specifically found that 3 in 10 organizations (30%) that are required to conform to compliance requirements have reported being the target of an IT security-related incident in the last year, compared to 23% of those not required to follow compliance regulations. Moreover, nearly 75% of organizations victimized by a security event have steered more money into IT security over and above what is warranted by compliance standards.
Of the 800 organizations in the study, 37% are managed security service providers (MSSPs) while 22% work with managed service providers (MSPs) or other type of IT consultants. Some 31% rely exclusively on their internal IT team.
The study dives into specific tactics hackers used, ransomware worries, size of businesses favored by attackers, number of security tools used, top security features and more.
A Deeper Dive into the Data
Here’s a closer look at eight of the data highlights:
- Attacks by email account for 71% of all incidents. Of those, spam ranks the highest (27%), followed by phishing (26%) and fraud (18%).
- 86% rank ransomware as their top concern over the next 12 months, followed by spam, viruses and malware (69%).
- Company size is a good predictor of the rate of cyber incidents. For example, 50% of attacks are directed at companies of 1,000 employees or more.
- The majority of organizations (69.3%) use 4-8 IT security tools, with the highest number of companies (16%) tied to those using five solutions.
- 85% of organizations used spam filters more than any other malware solution, followed closely by multi-factor authentication at 84%. Data loss prevention features were only used 41% of the time.
- SIEM solutions caught 42% of IT incidents , followed by access auditing (32%), email encryption (30%) and IT awareness training (30%).
- 56% of organizations said IT budgets are driven by security concerns “some of the time.” By comparison, 10% said “all of the time.”
- 64% of the companies in the study are subject to regulatory requirements, led by GDPR at 39% and PCI and HIPAA each at 19%.
Hortnet offers its perspective on its results:
“As we’ve discovered through these survey results, increasing compliance requirements does not mean the complete negation of any threat. Independent, constant and proactive vigilance by each organization is still essential to provide the best chance of thwarting potential attacks, regardless of the variables involved.”