At a time when most businesses are finding it difficult to hire and retain IT professionals, business leaders may want to consider just how big an impact their approach to cybersecurity is having on the willingness of IT professionals to stick around.
A new global survey of 2,391 IT and IT security practitioners working at small-to-medium businesses (SMBs) conducted by The Ponemon Institute on behalf of Keeper Security, a provider of password management tools, finds nearly half (45%) of the 2,000 respondents described their organization’s IT posture as it relates to cybersecurity ineffective, with 39% reporting they have no incident response plan in place.
That lack of readiness is becoming a major issue because the survey also finds attacks are increasing in terms of both volume and sophistication. Two thirds of respondents (66%) said their organizations have been attacked in the last 12 months, with phishing (57%), compromised or stolen devices (33%) and credential theft (30%) cited as being the common vectors for launching these attacks. Nearly two-thirds (63%) also reported at least one incident involving the loss of sensitive information about customers and employees in the past year.
Even though IT professionals are usually not at fault when data is lost or stolen most of them take these attacks personally. It’s a matter of pride, so it should not come as a surprise that most IT professionals would prefer to work at organizations that take cybersecurity seriously. There may never be such a thing as perfect security, but most businesses today still make it too easy for cybercriminals to access data simply because business leaders didn’t appreciate the true scope of the threat.
Nearly half the respondents (49%), for example, said the use of mobile devices to access business-critical applications diminishes their organization’s security posture. A full 80% said it’s likely that a security incident related to unsecured Internet of Things (IoT) devices could be catastrophic, yet only 21% monitor those devices.
Obviously, factors such as salary and benefits have more of an impact of IT staff turnover than cybersecurity. However, the stress that comes from trying to protect applications and systems that are inadequately secured takes an inevitable toll. In fact, many IT professionals are starting to ask some tough cybersecurity questions before they even consider taking another position. IT professionals also talk to one another, so most of them have a pretty good idea which organizations are only paying lip service to cybersecurity concerns.
That increased focus on cybersecurity may, of course, put smaller companies at a disadvantage in terms of the budget dollars they can allocated to cybersecurity. However, the attack surface smaller companies need to defend tends to be smaller, so while budget is a factor, IT professionals are generally going to be more focused on what processes are in place to secure the IT environment. Organizations that want to attract the best IT talent might want to consider finding a way to weave their approach to cybersecurity into their recruitment efforts. Many of them will be surprised to discover how many more potential IT recruits will sit up and listen.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.