Professional services, IT and tech companies are under siege from cybercriminals, according to Keeper Security's 2021 UK Cybersecurity Census Report.
Professional service organizations, a category that includes lawyers, accountants and consultancies, experienced an average of 62 cyberattacks over the past year, or one attack every six days. Meanwhile, IT and technology companies experienced an average of 44 cyberattacks in the same timeframe, or about one attack every eight days.
Nearly all of these organizations (95%) are aware of where the gaps in their cybersecurity defenses lie, but fewer than half (40%) are actively addressing all of them. One reason is the significant cybersecurity skills shortage. Fifty-nine percent of IT decision-makers at tech firms, and 65% in the professional services industry, told Keeper that a lack of qualified talent is hampering the cybersecurity efforts in their organization.
Lack of cybersecurity awareness among employees, especially regarding password security, also contributes to organizations' inability to comprehensively secure their networks. While over 80% of data breaches are due to compromised passwords, 59% of IT decision-makers at professional services companies say that employees don't understand the cybersecurity implications of poor password hygiene.
Ironically, having technically inclined employees doesn't equate to good cybersecurity awareness. Sixty percent of IT decision-makers at IT/tech companies reported that their employees don't understand the importance of password hygiene, either.
IT leaders want board and governmental oversight of security
IT leaders in both the tech and professional services sectors are united in feeling that their organizations' executive leadership, and their government, need to do more. Nearly three quarters (74%) of IT leaders in the professional services sector, and 72% in the IT/tech sector, want cybersecurity to become a board-level issue, including having a dedicated cybersecurity specialist on their organizations' boards.
Further, 85% of IT leaders in the professional services sector, and 88% in the IT/tech sector, called for external oversight and accountability in the form of an independent body – an 'Ofcom for cybersecurity'– to reduce cyber attacks against businesses. Nearly all of them (93% in professional services, and 92% in IT/tech) want to see legislation requiring businesses to have basic cybersecurity protections in place before they're allowed to operate.
What companies can do to strengthen their defenses
The wheels of government – and many organizations – tend to turn slowly, but there are steps that resource-strapped companies can take right now to fortify their cybersecurity defenses.
1. Keep apps, operating systems and firmware up-to-date
These updates frequently contain important security patches, and they should always be installed as soon as possible. Computers worldwide remain vulnerable to the EternalBlue Windows exploit, responsible for WannaCry and other major cyberattacks, simply because users haven't installed the patch that Microsoft issued in 2017.
2. Use role-based access control (RBAC)
Employees should be granted only the network privileges they need to perform their jobs and no more. IT administrators should also periodically review user privileges and adjust them as necessary to reflect any changes in employees' duties, and they should disable accounts when an employee leaves the company.
3. Train employees on cybersecurity awareness
The weakest security link in any organization is its own people. Training employees on cybersecurity best practices, especially how to avoid falling victim to social engineering, transforms them from security liabilities into security assets.
4. Develop and enforce a password security policy
All companies need to mandate that employees use strong, unique passwords for every account and enable multi-factor authentication (2FA) wherever it's supported. Then, they need to enforce this policy using an enterprise password management (EPM) solution like Keeper.
Keeper's zero-knowledge password management and security platform gives IT administrators complete visibility into employee password practices, enabling them to monitor password use and enforce password security policies across the entire organization, including password complexity requirements, 2FA, RBAC and other security policies.