Cyberattacks and breaches are becoming more common and have PR and economic consequences for corporations. However, there is no clear consensus on what is the reasonable amount of best cybersecurity practices. The authors ran a study on 197 organizations that responded to their survey in Indiana, and found systematic differences in and understanding of security practices depending if the organizations were considered critical infrastructure, and their size. The main reason for the difference in practices by critical infrastructure organizations and non-critical infrastructure organizations is that the critical infrastructure industries, such as health and finance, often already have legal regulations in place for cybersecurity protocols. Small and medium enterprise companies have less cybersecurity practices in place, such as a cybersecurity team or purchasing cybersecurity risk insurance, because of their limited capital and misunderstanding of what should be prioritized. Since all companies are susceptible for cybersecurity attack, there needs to be more investment in cybersecurity education for companies.
Author:
Christos Makridis, Anne Boustead, Scott Shackelford
