New global research by MetricStream, the independent market leader in governance, risk and compliance (GRC) solutions, has revealed that there is still a wide chasm between IT cyber risk management strategy and actual practice.
While risk management is taking centre stage at the executive level, most organisations are still surprisingly relying on spreadsheets to manage IT risks. More than 45% of respondents reported using spreadsheets, even if they had an IT GRC solution in place. Moreover, 54% stated not using any IT GRC solution to manage IT risks.
These key findings come from MetricStream’s latest IT Risk and Compliance Survey in which security and risk professionals from around the world addressed their top issues around IT and cyber risks. Respondents include representatives from multiple industries, including financial services, telecom, technology, manufacturing, government, education, healthcare, and transportation.
“Most security and risk professionals know that IT security is like a chain; you are only as strong as the weakest link,” said Gaurav Kapoor, COO, MetricStream. “Despite breakthrough advancements in artificial intelligence, machine learning and other advanced risk management technologies, the weakest links – spreadsheets – underpin a majority of enterprise risk management programs.”
A further key finding of the survey is that while risks are evolving, compliance violations remain top of mind. Denial-of-service attacks (DDoS) are now the biggest threats – reflecting how the risk landscape looks quite different from 2018, when MetricStream’s survey found that malware infections were the biggest threat.
It is not too surprising though that DDoS attacks were highlighted as a major concern given their sharp increase since COVID-19. In fact, in 2020, for the first time in history, the annual number of DDoS attacks crossed the 10 million threshold. NETSCOUT recently reported 10,089,687 attacks over the course of the year, nearly 1.6 million more attacks than 2019’s count of 8.5 million.
Despite how rapidly risks are evolving today, most IT risk programs have yet to reach optimal maturity. When asked about the maturity level of their IT programs, 69% of respondents stated that they are not quantitively managing their IT risk program. Furthermore, 31% of respondents report only having IT risk assessment reviews on a quarterly basis. Only 15% stated having monthly reviews, which is concerning in our COVID-era.
Having said that, when asked about future plans, over a third (38%) of respondents stated plans to increase their investment in IT risk management, security and compliance were top priorities for 2021. Respondents ranked their top 2021 priorities to be:
- Investment in IT security solution
- Compliance with federal and government regulations
- IT security data aggregation and reporting
Managing risk was hard enough before the pandemic came along. However, with entire workforces now suddenly transitioning to working on home networks and personal devices, the chances of data security issues – and therefore compliance violations – are significantly higher. IT, security, and compliance teams have their task cut out for them as they strive to minimise compliance gaps, test controls, and prevent violations across a wide range of IT regulations and standards.