According to a new survey of more than 300 public and private organizations across Indiana, nearly one-fifth said they had experienced a cyberattack in the past three years.
More than 80% of respondents – representing private companies, governmental and public organizations, and utilities in Indiana – reported that their organizations have taken steps to prevent a cybersecurity incident.
The findings come from the report “State of Hoosier Cybersecurity 2020,” which was prepared for the Indiana Executive Council on Cybersecurity by the Indiana University Kelley School of Business, its Indiana Business Research Center and the University of Arizona.
“This is the first time we have a state-level snapshot of both cyber hygiene practices as well as how businesses and local governments are using cyber risk insurance as a tool to mitigate the risks they face,” said Scott Shackelford, associate professor of business law and ethics, chair of the IU Cybersecurity Program.
“In a field that is too often starved for hard data, this is a unique opportunity to highlight what Indiana organizations are doing well, and poorly, when it comes to safeguarding their systems, employees and customers,” added Shackelford, who also is executive director of the Ostrom Workshop.
As in other states, public and private organizations in Indiana have faced cyber threats. Prominent cases have included an email hack of the sheriff’s department in Lake County, an attack on government computers in Lawrence and LaPorte counties, and a breach at Hancock Memorial Hospital, but universities, small businesses, utility companies and school corporations also have been victims.
While about 19% of respondents indicated they had experienced a successful cyber incident since 2017, another 67% said they hadn’t and 13% weren’t sure or declined to provide an answer. Of those who said their organization had experienced a cyber incident, 50% said it did not result in data loss. Thirty-one percent said fewer than five of these incidents resulted in data loss.
“It’s clear from this first-of-its-kind report that while most Hoosier organizations are aware that cyber threats exist, most do not have a clear understanding of how to prevent or respond to cyberattacks,” Attorney General Curtis Hill said. “We hope that through this report, and our ongoing efforts to implement a safe harbor rule, we can keep organizations and citizens safe from cyberattacks, the fastest-growing type of crime in the United States.”
Of those who indicated that they had taken steps to prevent cyber incidents, 95% had installed antivirus software, while more than 75% had updated or patched their software. More than 70% had provided their employees with training to reduce cyber-related risks.
Researchers received 336 responses: 197 complete responses and 139 incomplete responses. Seventeen of the 197 Indiana organizations that completed the survey said they had used other mechanisms to prevent cyber incidents other than those suggested by the survey. They described a broad range of approaches, including installing firewalls and spam filters, adopting multi-factor authentication and hiring a cybersecurity firm to advise on defenses.
Only 27% of organizations reported having an updated incident response plan ready to respond to a cyberattack. Researchers found organizations had fragmented approaches to managing cyber risks, with 15% of respondents indicating that their point person was their chief information officer, while another 14% indicated that this role was filled by their CEO. Otherwise, cybersecurity incidents were dealt with by those in a variety of other roles.
Sixteen percent of those surveyed said they either did not have a plan in place or were unsure about what to do to prevent cyberattacks.
“Indiana organizations are by and large aware of the multifaceted cyber threats facing them, but the vast majority have not created incident response plans for how to manage data breaches that could result from these threats,” Shackelford said. “It’s a concern that there is no consensus on how to organize to effectively manage cyber risks, including what type of point person should be in charge, and how they should work with other leaders across the organization, and with their peers and partners, to maximize cybersecurity preparedness.”
One key component of a cyber risk mitigation strategy is insurance. More than half of Indiana organizations already have cyber risk insurance, with another quarter considering it. But the survey found that many organizations were unsure about what types of coverage they have and what exclusions might apply.
Anne Boustead, an assistant professor in the School of Government and Public Policy at the University of Arizona and a co-author of the report, said there is still much we can learn about how companies decide whether to adopt cyber risk insurance, and the role of cyber risk insurance in mitigation practices.
“Our findings indicate that cost and coverage limits can deter organizations from adopting cyber risk insurance,” she said. “However, as this research continues, it will be particularly important to explore other potential barriers to adoption of cyber risk insurance.”
The authors plan to conduct a follow-up study in several years to determine how these trends are changing over time, and to mirror the efforts in other states, including Arizona, to better situate the findings. The report is attached.