Cybersecurity challenges continue to prevail, impacting private businesses, governments, and the public sector daily. Increased and evolving threats reveal weaknesses and vulnerabilities within organizations of all sizes, even at the most basic, human level.
CIBR Ready, in conjunction with 101 Research LLC, conducted a short web survey of 226 IT program graduates to better understand cybersecurity barriers and challenges in the workforce. The results of this small sample provide a snapshot into the cybersecurity posture of organizations and areas for improvement in cybersecurity culture and cyber defense practices. It should be noted that most respondents are IT professionals; therefore, study results may indicate a stronger cybersecurity posture within IT Departments than what may be found in other non-IT Departments. Some results account for company size, (specifically companies with fewer than 500 employees and those with more than 500), contributing factors for resources (or lack thereof).
Organizations’ Cybersecurity Posture
An organization’s cybersecurity posture is the strength of the cybersecurity controls and protocols for predicting and preventing cyber threats, and the ability to act and respond during and after an attack. Certain complexities present in smaller organizations may not affect larger organizations with adequate IT staff and vice versa as inferred from the survey results below.
| Overall | >500 employees | <500 employees | |
| Very or extremely confident in the organization’s cybersecurity posture | 63% | 69% | 54% |
| Organization’s leadership places very or extremely high value on cybersecurity | 78% | 85% | 68% |
| Organization’s employees place very or extremely high value on cybersecurity | 62% | 71% | 50% |
Overall, only 63% of respondents were confident in their company’s cybersecurity posture, which is a little surprising given 75% of respondents indicated they were very or extremely knowledgeable about cybersecurity policies and practices. For each of the three questions, respondents who work for companies with more than 500 employees rated at least 15% higher than companies with fewer than 500 employees. This could be because larger companies have additional resources they can utilize for cyber defense, or even that they are more aware of cyber threats. Approximately 85% of respondents in companies over 500 employees felt their leadership placed a high value on cybersecurity, which is high given only 69% of those same respondents said they were confident in their company’s cybersecurity postures. This could indicate that while leadership may value cybersecurity, they may not have the tools or resources to implement such measures to overcome the challenges of cybersecurity.
Passwords and Devices
Weak password requirements can be a significant risk for organizations, and it is one of the most common cyber attacks encountered by businesses. Below are a few key findings regarding the use of passwords from our survey:
- 5% of respondents indicated they have been asked for their password by someone at work
- 20% of respondents stated they sometimes or always use the same passwords for work and personal accounts
- 12% of respondents reported they were last required to change their password either more than 1 year ago or never
Organizations develop password requirements, which determines their overall password protection. The table below shows the percentage of respondents who believe their company has strong requirements for passwords. Companies larger than 500 employees have over a 90% agreement level, significantly higher than companies with fewer than 500 employees. This can most likely be attributed to company resources. Smaller companies have a smaller staff for managing IT services.
| Overall | >500 employees | <500 employees | |
| Your organization has strong requirements for passwords | 81% | 91% | 65% |
Another common practice is for employees to lock their computers or devices when they step away from their desks. In our survey, 74% of respondents said they were required to lock their computers. This implies that over a quarter of respondents (26%) do not have this requirement, leaving their screens in plain view for others to see. Again, there is a significant difference between large and small/medium size companies with staff at smaller and medium-size companies more exposed to threats.
| Overall | >500 employees | <500 employees | |
| You are required to lock your computer when you get up from your desk | 74% | 95% | 63% |
Training
Respondents were asked about cybersecurity training, specifically the timing and frequency of those events. A summary of responses is below:
In reviewing this graph, 79% of respondents reported they received training on cybersecurity within the last year while 16% stated they have never received cybersecurity training.
Perceived Barriers and Challenges to Improved Cybersecurity
The table below shows the main barriers to managing cyber threats. Survey participants marked all that applied to them, so percentages reflect the number of responses for each option.
| Response Choice | Percent of Respondents |
| Lack of trained staff/skills | 35% |
| Difficulty in implementing new security systems/tools | 24% |
| Perception that risk of cyberattacks is low | 24% |
| Lack of management buy-in | 15% |
| Lack of visibility into network traffic and other processes | 15% |
| Context/feeds don’t provide the information that is needed | 9% |
| Lack of confidence using information to make decisions | 9% |
| Other* | 9% |
| None | 34% |
A few revelations stand out. First, over a third (34%) reported no perceived barriers. Of the barriers selected, lack of trained staff was highest followed by challenges in implementing tools and low perception of risk of cyberattacks. This highlights a theme seen across industries, especially among small and medium-size companies: investment in cyber defense may not be worth the cost due to a ‘low risk’ perception.
Summary
The results of this survey indicate that while IT professionals are knowledgeable about cybersecurity, the organizations they work for must significantly improve their cyber defense. Small and medium-sized companies are not as prepared as larger companies, most likely due to a lack of resources. Common practices of strong password protection and locking computers are implemented more at large companies than at small and medium-sized companies. And lastly, (but most notably!), employers often have a ‘low risk’ perception of cyberattacks despite the ongoing threats frequently reported in the US and abroad.
CIBR Ready provides innovative strategies to assist businesses to achieve cyber readiness and a proactive approach to cyber defense. We simplify the complex cybersecurity landscape so your business will have a clear, achievable path to cyber readiness. We will assess your vulnerabilities, identify current risks, and help you implement a comprehensive plan to achieve the level of cybersecurity required for your business and industry. This results in a path to a secure environment for organizations that may not be able to achieve protection on their own.