64% of companies expect cyber attacks

A survey conducted by Vanson Bourne, A leading firm in technology market research revealed some alarming statistics about cyber attacks and disaster recovery.  This survey was completed by 250 UK IT decision makers, working in organizations of at least 250 employees, across a variety of industries.  Here are some highlights of the results:
  • 64% expect their organization to be a target of a cyber attack within the next 12 months.
  • 32% confirm that their business was hit by a cyber attack during the past 12 months
  • 49% said that they did not know if they had been compromised
  • 61% rated their ability to detect suspicious behavior in advance of an attack as no better than average
  • 70% of organizations which use point-of-sale (POS) system to process credit card payments admit that they have no way of knowing if their systems had been targeted.
  • 20% of POS users were confident in saying that their systems had not been targeted
  • 52% of POS users we confident that their current security solution would be able to stop advanced threats or attacks against their system
  • 74% of all respondents still had systems running on Windows XP, even though the OS had reached it's end-of-life
  • and Only 29% of those Windows XP users had plans on migrating to a newer OS
  • When asked about the impact of an attack on their organization, respondents worried about the following:
    • 77% - system downtime
    • 68% - data loss or comprised
    • 52% - damage to their corporate brand
    • 50% - financial damage
  • When asked about from where they thought the most likely source of an attack, the following mentioned the following:
    • 86% - anonymous or other hacktivists
    • 77% - cyber criminals
    • 61% - disgruntled employees

The above statistics reveal some major quirks in a large number of organizations who aren't taking information security seriously and assume that they wont be a target of any sort of cyber attack.  We hear about bugs and vulnerabilities in well known sites and systems being revealed almost on a daily basis and such companies are clearly taking such news for-granted with a "it probably wont affect me" attitude.  Another problem is the lack of funding or determination by companies to push on new security measures, disaster recovery plans and on regular testing and research of the systems being used.  This is an issue of cost vs impact, since at the end of the day the financial impact on a business is usually higher then the initial investment cost of implementing best practice procedures and measures.