- OTRS survey of IT security staff reveals need to catch up
- Only about half as many U.S. and Singaporean companies as last year are optimally prepared for security incidents
- Staff shortage and lack of investment in software, infrastructure and training jeopardize IT security
Cupertino, CA, November 3, 2022 – Since the start of the war in Ukraine, the IT security situation in businesses worldwide has been further aggravated: Three- fourths (75 percent) of IT security teams in the U.S. and Singapore have registered an increase in security incidents, with 48 percent of them reporting significantly more incidents than before. However, many companies have evidently been unable to keep pace with the rapid increase in threats. The number of IT security employees who consider their company to be optimally prepared in the event of a security incident has dropped by 23 percent globally. These are the findings of the most recent “OTRS Spotlight: Corporate Security” study conducted by OTRS AG in collaboration with market research firm Pollfish, in which 500 employees in IT security teams worldwide were asked about the status quo and development of cybersecurity in their companies.
Desire to save money becomes security risk
Today, who has to do what and who is responsible for what in the event of a security incident is clearly defined in the vast majority of companies (96 percent). The factors that make it more difficult for employees to secure the company’s IT as well as possible and to respond as quickly and comprehensively as possible in the event of an emergency are of a different nature. First and foremost, there appears to be a deep desire to save money – understandable, but at what cost? This can be seen sometimes in a hesitancy to hire new staff. Although, internationally, hiring additional staff for the company’s Security Operations Center (SOC) is rated as one of the three most useful measures for coping with the increased number of security incidents, only slightly more than three in ten of the US and Singaporean companies affected by an increase in incidents (36 percent) have done so.
The fact that this does not cover the actual personnel requirements is also shown by the call for personnel relief among the 41 percent of global respondents who think that IT security does not receive enough attention in their company. Among this group, the call for security training for all employees is in first place with 48 percent, followed by infrastructure (43 percent). Investment in additional manpower (40 percent) and more software (27 percent) complete the list of investments deemed necessary. On a global level, teams in Germany and Mexico are the most dissatisfied overall with how IT security is handled at their company, while satisfaction is highest in the USA at 68 percent.
Growth among incident management teams
Despite all this, there is also a positive trend in terms of personnel development in both the U.S. and Singapore: Compared to the previous year, the teams responsible for incident management have grown. While in 2021, seventeen percent of the teams consisted of just one person; this year, the figure is just two percent. The same development can be observed across all the markets surveyed.
However, Christopher Kuhn, COO of OTRS AG and General Manager of OTRS Inc., does not see this as a reason to sound the all-clear: “The threat situation in cyber space will not ease in the foreseeable future, but will only tend to increase. Therefore, businesses urgently need to upgrade their IT security and go the extra mile in the battle for talent. In concrete terms, this means offering incentives to attract skilled professionals and also engaging in education and training in order to encourage lateral movement and retain employees.”
Short-term measures as a sign of insufficient preparation
To cope with the increased number of security incidents since the start of the war in Ukraine, businesses have primarily chosen short-term measures. At 64 percent each, they have responded most frequently by reviewing and adapting their IT systems in terms of updates, backups and secure employee logins as well as training all their employees to make them aware of security issues. Beyond that, almost half (49 percent) have introduced software to monitor, detect and prevent security incidents. Less frequently, software has been introduced to respond to and manage security incidents (30 percent). Block lists to block traffic from Russia were also introduced less frequently. 21 percent of businesses responded by introducing an incident management plan.
“The fact that less than a quarter of companies introduced an incident management plan or software to respond to and manage security incidents only when the threat level had risen acutely is worrying,” says Christopher Kuhn. “Once again, this shows that IT security still receives insufficient attention and that it is not being thought about preemptively and long-term enough. Preventing security incidents as far as possible is of course essential, but no one can achieve one hundred percent security. Those who are not fully prepared for the worst case scenario cannot react quickly and effectively enough and thus expose themselves to an enormous business risk. Awareness of this must spread much more strongly from the IT departments through to the executive floors, where IT security must be anchored and promoted into all corporate divisions from.”
About the survey
The data used is based on an online survey by Pollfish Inc. in which 500 employees in IT security teams in Germany, the U.S., Brazil, Mexico and Singapore participated between October 6, 2022, and October 22, 2022, including 200 in the U.S. and Singapore combined. The same survey was conducted in 2021, with the exception of the questions on developments since the start of the war in Ukraine. The results of this survey were used for comparisons with the previous year.
- Survey results from the U.S. and Singapore at a glance
- Infographic “Increased threat level”
- Infographic “Insufficient protective measures”
- Infographic “Need for investment”
- Infographic “Coping strategies”
About OTRS Group
OTRS Group is the manufacturer and the world’s largest provider of the enterprise service management suite OTRS, awarded with the SERVIEW CERTIFIED TOOL seal of approval. It offers companies industry-independent solutions for structured communication in customer service, IT service management and security management. In addition to the core product OTRS, the security solutions STORM and CONTROL ensure efficient cybersecurity incident management and transparent documentation in accordance with standards such as ISO 27001.
Among its customers are Lufthansa, Airbus, Porsche, BSI (Federal Office for Security in Information Technology), Max Planck Institute, Toyota and TUI Cruises. The company consists of OTRS AG and its five subsidiaries OTRS Inc. (USA), OTRS S.A. de C.V. (Mexico), OTRS Asia Pte. Ltd. (Singapore), OTRS do Brasil Soluções Ltda. (Brazil) and OTRS Magyarország Kft. (Hungary). OTRS AG is listed on the basic board of the Frankfurt Stock Exchange.
For more information, see www.otrs.com.