Only one-third of organisations run round-the-clock cybersecurity 

Only one-third of organisations run round-the-clock cybersecurity 

Trend Micro research reveals major security gaps and lack of board accountability in many companies 

Trend Micro, a global cybersecurity leader, has published research revealing that UK organisations lack sufficient resources and leadership buy-in to measure and mitigate risk across their digital attack surface.

The research, which surveyed 100 UK cybersecurity leaders as part of a global study polled those responsible for cybersecurity in small, medium and large organisations to better understand their attitudes toward attack surface risk management (ASRM).

The top three gaps in cyber-resilience revealed by respondents were:

  • Sufficient staffing for 24/7/365 cybersecurity coverage – which just 31% have
  • Attack surface management techniques to measure the risk of the attack surface (used by 32%)
  • Using proven regulatory and other frameworks like the NIST Cybersecurity Framework (only 34%)

The failure of UK companies to achieve these cybersecurity basics could be traced back to a lack of leadership and accountability at the top of the organisation. Half (48%) of global respondents claimed that their leadership doesn’t consider cybersecurity to be their responsibility. Just 17% disagreed strongly with that statement.

When asked who does or should hold responsibility for mitigating business risk, respondents returned a variety of answers, indicating a lack of clarity on reporting lines. Nearly a third (25%) of UK respondents said the buck stops with organisational IT teams.

This lack of clear direction on cybersecurity strategy may be why over half (54%) of UK respondents complained that their organisation’s attitude to cyber risk is inconsistent and varies from month to month.

Bharat Mistry, Technical Director at Trend Micro, said:“A lack of clear leadership on cybersecurity can have a paralysing effect on an organisation – leading to reactive, piecemeal and erratic decision making. Companies need CISOs to clearly communicate in terms of business risk to engage their boards. Ideally, they should have a single source of truth across the attack surface from which to share updates with the board, continually monitor risk and automatically remediate issues for enhanced cyber-resilience.”

The leadership required to remediate these issues is not present in many organisations. Nearly all (94%) of those surveyed have concerns about their attack surface. Over one-third (36%) are worried about having a way of discovering, assessing and mitigating high-risk areas and 16% aren’t able to work from a single source of truth.

Browse our latest issue

Intelligent CISO

View Magazine Archive