Research conducted by Microsoft Ireland has revealed that three in four (76%) leaders in large organizations in Ireland are worried about their organization’s security.
This research was conducted by Amarach across 200 decision-makers who work for organizations that employ upwards of 250 staff. This research follows on from Microsoft research in 2019 that looked at employees’ security habits. Both sets of research together provide both the employee and then the employer perspectives on the state of cybersecurity in Ireland.
This year’s research focuses on four key areas of cyber risk: Identity Access Management, Threat Protection, Information Protection, and Security Management.
Identity and Access Management: When asked how organisations manage employee’s identity and access and identity management (IAM) policies, four in ten senior IT decision-makers are somewhat worried about the digital threats they face due to challenges in managing employee’s IAM. When asked what particular issues they faced they felt the following were the toughest challenges:
- Too many portals and passwords
- Escalating number of password reset calls to Help Desk and rising costs
- Lack of visibility and control across environments
Only a minority (one in four) completely agree they have strong IAM processes in place. This concern is further reinforced by previous research from Microsoft that showed that 44% of employees use the same password across multiple devices, with a further 38% recycling passwords at work.
When organizations and employees were asked about alternatives to passwords, biometric verification (e.g. facial recognition or fingerprint) ranked the highest amongst organizations (58%) and employees (62%), as a replacement to traditional passwords.
Security Management: Only one in four organizations fully believe they are well secured against cyber threats. When it comes to security management, only 3 in 10 of senior IT decision-makers completely agree they have a clear strategy for protecting and managing sensitive information.
A majority (70%) of large Irish firms have experienced problems with phishing, hacking, cyber-fraud, or other cyber-attacks. Despite this, approximately the same number (69%) are not planning to hire additional staff with cyber-security expertise. Of the 31% who are planning to bring on additional cyber-security staff, over half (54%) are finding it challenging to find the right candidate.
Increases in the sophistication of cyber-threats require organizations to continually adapt and invest in their preventative measures. When asked if they plan to maintain, or further invest in their cyber-security measures, nearly half plan to invest, while four in ten plan to maintain their current budgets. Of those who plan to increase spending, 67% will invest in software, 66% in training, 47% in hardware, and less than a third (31%) plan to invest in recruitment.
Threat Protection: 70% of Irish organizations have experienced problems with phishing, hacking, and cyber-fraud. When asked to rank their top five cyber-threat fear, they responded:
- Inadequate password and security practices (62%),
- Ransomware attacks (59%),
- The growing sophistication of cyberthreats (56%),
- Loss of financial or other data through theft or sabotage (50%), and
- Loss of intellectual property (37%).
Overall, many senior decision-makers are confident about their ability to comply with data regulations (e.g. GDPR), but the majority feel vulnerable to hostile cyber-attack and are taking significant steps to protect themselves.
Information Protection: Senior management reported the challenges of managing staff, remote working access management, and personal devices in the workplace. The research showed that overall, 7 in 10 (69%) organizations don’t allow employee access to their network from a personal or non-work device. In stark contrast, the 2019 employee research showed that 49% of employees use their personal email when working remotely, potentially exposing their organization to a data breach as they bypass their organization’s security measures.
However, over a third (36%) of large Irish firms who have experienced a cyber-attack continue to allow their staff full access from personal and mobile devices.
When working from home, the vast majority of organizations restrict employee access to documents and other information. However, in organizations employing over 500 staff, nearly a quarter (24%) of organizations do not put any restrictions on employees’ access when working from home.
When it came to using cloud computing as a solution to addressing large organizations’ IT challenges, 46% of Irish organizations’ senior decision-makers felt they had no security concerns moving their data or systems to the cloud.
Comparing Employer and Employee Attitudes to Change
In early 2019, Microsoft conducted similar research, in collaboration with Amárach Research, by polling 900 employees of large Irish companies. They were asked about which additional security measures they would welcome, and those responses can now be compared with those of the IT decision-makers (i.e. employers) from the most recent study.
When asked about employing a dual-device authentication system, 69% of employers were in favor, while only 41% of employees would welcome the change. The support for geolocation verification was 64% among employers and 49% among employees. Biometric verification, whereby your laptop or phone reads your fingerprint or scans your face via the in-built camera to access a service, was very similar between employees and employers, at 58% and 62% respectively.
“Organisations face an ever-escalating threat from cyber-attack that is pushing organizations IT security to their limits. As a result, organizations can investigate 56% of the security alerts they receive daily,” said Des Ryan, Solutions Director, Microsoft Ireland. “The research shows that senior management in large organizations are worried about protecting their organization, as new technologies transform their industry. A gap exists between organizations’ view of how secure they feel they are, versus the reality where their organizational security habits are leaving them open to data loss or hacking. Iterative security policies and poorly implemented planning have spawned some bad employer habits. Organizations must now ensure they are taking a considered approach to data security, and embrace new procedures and technologies, coupled with consistent training, enforced policies, along with better device upgrades to enable employees to deliver the productivity needed for successful transformation with a minimum of risk to the organization.”
Stephen Parsons, Head of Information Security at SISK Group said, “We have been focused on transforming our cybersecurity strategy to identify and minimize risk across the organization. The benefit of this is that we can streamline and simplify employee access to our network and automatically enforce policies to identify suspicious activity. This has served to eliminate recurring issues and risky behavior and simplify security management across the organization. As a result, we have increased both our productivity and confidence when it comes to compliance demands either legal or from our prospective or existing clients.”