A new report on cybersecurity has found that when it comes to cyber threats and attacks, companies are shifting from a technology focus and a defensive mindset to process improvement and a proactive approach.
The study, conducted by CompTIA, a technology association, advised employers that “in a world of constant, evolving attacks, a mentality of preventing all breaches is outdated. Organizations must shift to proactive measures, including external audits, penetration testing, and security training.” Strong defenses will always play a role, according to the report, but they must be coupled with ongoing offensive activity.
The Evolution of Security Skills found that out of 350 employers surveyed, 37% had a mostly preventative approach, focusing on keeping threats out. Another 29% were highly proactive with an emphasis on detection/response, and the remaining 34% had a strong defense balanced with some proactive measures.
One of the challenges for organizations, CompTIA explained in a press release announcing the survey results, is that they tend to place the greatest emphasis on the cyber threats they understand the best. Malware and viruses, two of the oldest forms of cyberattacks, typically get the most attention.
“While we certainly need to remain vigilant about these threats, many other forms of attack have emerged that can carry disastrous consequences,” Seth Robinson, senior director, technology analysis, CompTIA, said in the press release.
The majority of companies in the CompTIA study expressed only mild concern that they would be the target of ransomware, a dedicated denial of service, social engineering, Internet of Things-based attacks, or SQL injections.
“While many companies have moved in the direction of cloud computing, mobile devices and other new technologies, it’s clear that a large number have failed to fully consider the corresponding security implications,” Robinson noted. “Gaining an appreciation and understanding of the many threats in play today is the first step in threat management.”
The study found that training and certification are generally the favored methods (60% and 48%, respectively) for building advanced security expertise. Companies that pursue certification for their technology professionals after training find that they provide a higher degree of credibility, better proof of knowledge, and improved candidacy for open positions.