Cybersecurity matters to everybody – every company and every private individual. So how well is Indiana doing when it comes to keeping data safe and secure? Until late last year, we really didn’t have a clear answer. But a first-of-its-kind study has been submitted to the Indiana Executive Council on Cybersecurity (IECC) that provides a new overview on the state of Hoosier cybersecurity. The findings illustrate our strengths and shortcomings and provides some insight about what organizations have been doing to protect themselves.

 

1 in 5 Have Been Targeted

In the study, researchers from IU’s Kelley School of Business, the Indiana Business Research Center, and the University of Arizona looked at a broad sample of more than 300 survey responses. These were from all types of public and private entities, including companies, government branches, utilities, and others.

Almost one in five of those responders said they had experienced a successful cyber incident in the past three years. About half of them reported losing data as a result.

 

8 in 10 Have Made Preparations

More than 80% of the responders said their organizations have taken steps to prevent a cybersecurity incident. These steps represent a variety of ways to try to curb cyberattacks.

95% of the firms have installed antivirus software, and more than 75 percent have updated or patched their existing software. More than 70 percent have trained their employees on ways to reduce cyber-related risks. Other approaches include firewalls, spam filters, multi-factor authentication, and hiring cybersecurity consultants.

 

1 in 4 Have a Response Plan

About 27% of the responding organizations said they have an incident response plan ready, if an when a cyberattack transpires. They differ on how they manage risk, however, notably in terms of which individuals bear responsibility for security. For example, about 15% of the responders delegate this responsibility to their chief information officer. Another 14% of the responses said their CEO is the point-person for managing cyber incidents. Outside of those two, a variety of other types of employees manage cybersecurity.

There isn’t really a unified strategy. In fact, 16% of the responding companies have no plan or are unsure about what to do to prevent cyberattacks.

“Indiana organizations are by and large aware of the multifaceted cyber threats facing them, but the vast majority have not created incident response plans for how to manage data breaches that could result from these threats,” said Scott Shackelford, associate professor of business law and ethics, and chair of the IU Cybersecurity Program.

“It’s a concern that there is no consensus on how to organize to effectively manage cyber risks, including what type of point person should be in charge, and how they should work with other leaders across the organization, and with their peers and partners, to maximize cybersecurity preparedness,” Shackelford said.

 

More than 5 in 10 are Insured

One of the interesting things about the cybersecurity study is that it gave us some accurate data on Hoosier cyber risk insurance adoption. More than half of the responding organizations said they already have this type of coverage, and another quarter of responders are considering it. Though, lots of organizations were unsure about whether they were covered or what types of coverage they had.

The researchers said this was an opportunity to learn more about what factors could further increase cyber risk insurance adoption. They said that cost and coverage limitations might be deterrents to purchasing this type of coverage, and that other potential barriers should be explored.

 

Info for a Clear Path Forward

Now that we know a bit about where Indiana stands with cybersecurity, we can chart a pathway forward for how we’ll improve. There are several different initiatives in the works currently in our state, focused on things like protecting businesses, consumer data, and even incentivizing businesses that get proactive about cybersecurity. These efforts are still in the works, but fortunately policymakers now have some new information to help reinforce their efforts.