Despite a year full of devastating, massive scale breaches, many organizations still lack the cybersecurity infrastructure and training needed to adequately protect them from cyber attacks. In many cases, even the threat of regulatory scrutiny may not be enough to encourage organizations to invest more heavily in cybersecurity resources.

A recent survey coauthored by consulting group Nexia International and professional services firm CohnReznick polled more than 350 organizations and found that 46 percent do not have a formal cybersecurity program; an additional 20 percent of respondents lack a cybersecurity program even when government, industry or consumer regulations require them to have one.

Survey respondents cited time and budgets as their biggest obstacles to implementing organizational cybersecurity: Fifty-one percent noted that lack of time dedicated to cybersecurity issues was an “extreme” challenge for organizations, while an additional 45 percent said the same of limited budgets.

That lack of investment shows up in the kinds of safety precautions many organizations have failed to take. Likewise, many have failed to understand their own cybersecurity vulnerabilities. Twenty percent have not conducted a cybersecurity assessment at all. Only 25 percent offer cybersecurity training to their employees on an annual basis.

Cohn Reznick partner David Rubin found the lack of investment surprising, especially given the current cybersecurity landscape. He noted that regulatory concerns seem to be the biggest incentive to bolster resource investments to cybersecurity.

“The driver of cyber-investment is still regulation rather than data risk management,” he said.

Both regulators and third-party vendors seem to be stepping up their scrutiny of organizational cybersecurity—Rubin sees local cybersecurity regulations and vendor cybersecurity contractual stipulations on the rise. These still may not be enough to get some companies to invest more heavily in their cybersecurity infrastructures and programs.

“It really becomes still a question of how many companies will be willing take the risk that they won't get hit even with those regulations. It's going to take, I think, some companies seeing or industries seeing that regulations are being enforced, or they're losing business for them to take it seriously,” Rubin said.

For attorneys looking to help clients who've shirked their cybersecurity investments, Rubin suggested that having a well-oiled response plan and a gentle push to do more preventative work can help.

“What I do feel they can do is educate their clients. The focus should be to understand their client vulnerabilities, the impact of those vulnerabilities, and what things they can have their clients to do prevent, and get their clients ready in the event that they need to respond so that it's almost a muscle reflex in terms of what they do and how they respond to an incident,” he said.

That preventative work should involve some form of education, Rubin added. “The survey clearly indicated to use that there's not enough training going on,” he said.  “Training is a very, very important component to an effective cyber-component. Policies that people are trained on are an effective part of a cyber program,” he said.

Despite a year full of devastating, massive scale breaches, many organizations still lack the cybersecurity infrastructure and training needed to adequately protect them from cyber attacks. In many cases, even the threat of regulatory scrutiny may not be enough to encourage organizations to invest more heavily in cybersecurity resources.

A recent survey coauthored by consulting group Nexia International and professional services firm CohnReznick polled more than 350 organizations and found that 46 percent do not have a formal cybersecurity program; an additional 20 percent of respondents lack a cybersecurity program even when government, industry or consumer regulations require them to have one.

Survey respondents cited time and budgets as their biggest obstacles to implementing organizational cybersecurity: Fifty-one percent noted that lack of time dedicated to cybersecurity issues was an “extreme” challenge for organizations, while an additional 45 percent said the same of limited budgets.

That lack of investment shows up in the kinds of safety precautions many organizations have failed to take. Likewise, many have failed to understand their own cybersecurity vulnerabilities. Twenty percent have not conducted a cybersecurity assessment at all. Only 25 percent offer cybersecurity training to their employees on an annual basis.

Cohn Reznick partner David Rubin found the lack of investment surprising, especially given the current cybersecurity landscape. He noted that regulatory concerns seem to be the biggest incentive to bolster resource investments to cybersecurity.

“The driver of cyber-investment is still regulation rather than data risk management,” he said.

Both regulators and third-party vendors seem to be stepping up their scrutiny of organizational cybersecurity—Rubin sees local cybersecurity regulations and vendor cybersecurity contractual stipulations on the rise. These still may not be enough to get some companies to invest more heavily in their cybersecurity infrastructures and programs.

“It really becomes still a question of how many companies will be willing take the risk that they won't get hit even with those regulations. It's going to take, I think, some companies seeing or industries seeing that regulations are being enforced, or they're losing business for them to take it seriously,” Rubin said.

For attorneys looking to help clients who've shirked their cybersecurity investments, Rubin suggested that having a well-oiled response plan and a gentle push to do more preventative work can help.

“What I do feel they can do is educate their clients. The focus should be to understand their client vulnerabilities, the impact of those vulnerabilities, and what things they can have their clients to do prevent, and get their clients ready in the event that they need to respond so that it's almost a muscle reflex in terms of what they do and how they respond to an incident,” he said.

That preventative work should involve some form of education, Rubin added. “The survey clearly indicated to use that there's not enough training going on,” he said.  “Training is a very, very important component to an effective cyber-component. Policies that people are trained on are an effective part of a cyber program,” he said.