In our recent Tech Insights Survey, we found that the majority of midsize organizations have accepted the reality that they are a target for a cyberattack – it's no longer a matter of if, it's a matter of when. This is an encouraging sign that most midsize companies have moved past the denial phase where bad things only happen to other companies, and into a new phase of awareness. Despite this awareness of risk, however, our survey shows that most midsize companies are still not prepared to deal with them.

IT organizations recognize the dire threat of a cyberattack, but still have a lot of work to do when convincing the business

As we analyze the business and IT priorities side-by-side, it’s great to see that so many of their priorities are aligned. However, one glaring discrepancy is where cybersecurity ranks on their respective lists. IT recognizes the dire threat of a cyberattack – making security their #2 priority in 2018. Whereas the business ranks cybersecurity at the bottom of their list, with only 9% of business leaders believing that cybersecurity is a top priority.

This misalignment between business and IT leaves organizations deeply vulnerable at a time when the threat surface is rapidly growing. Given the sharp uptick in hacking methods and sophistication, cybersecurity can no longer be viewed as just a technology issue, it’s a business issue, too.

Despite IT organization’s intent to advance cybersecurity in 2018, a lack of executive support challenges the effectiveness of those plans.

Getting Real About Cybersecurity

Often, we see business leaders get involved only after a breach has occurred. This complacency makes little sense when you consider the many layers of financial setback a business would endure from an attack:

• Labor costs to analyze breach, reinstall software and recover data
• Cost relating to system downtime (employee productivity and lost sales)
• Legal costs due to new compliance laws
• Loss of competitive edge from the release of proprietary or sensitive information
• The cost of paying off a ransom
• And perhaps the greats risk of all, the loss of reputation or customer trust

In our experience, this reactive approach comes from a lack of information to evaluate cyber risks. If IT organizations are not clearly identifying and communicating the security gaps in a language that the business can understand, then the urgency of the risk will remain unknown and understated, limiting IT’s ability to respond in a timely manner. Equally important, the business needs to let IT in on organization-wide priorities and plans so they can proactively safeguard the assets most important to the business before it’s too late.