More than 90% of large US companies with 500+ employees have a cybersecurity policy in place to protect them from both real and anticipated threats.

B2B ratings and reviews firm Clutch Clutch surveyed corporate IT decision-makers about what to include in a cybersecurity policy and found that security software, data backup and storage, and scam detection are the most common areas cybersecurity policies cover.

Phishing attacks are the cybersecurity attack large companies most commonly experience: 57% of IT decision-makers said their company experienced a phishing attack in the past year. 

More than 80% of IT decision-makers surveyed say they proactively communicate their company's cybersecurity policy, policy compliance, and training to employees. However, only two-thirds (66%) of these decision-makers enforce their company's cybersecurity policy.

Experts contribute the drop-off in enforcement to the struggle companies face when balancing policy adherence with employee concerns. The survey said this suggests that some employees' work experience may be affected by a strict employer's cybersecurity enforcement policy.

Experts recommend regular communication to employees about cybersecurity policy(s) so employees are aware of expectations and consequences of noncompliance but don't feel they are being micromanaged regarding security precautions.

IT decision-makers think the best way to improve their companies' cybersecurity policies is to invest in technology. In support of that position, 71% say their company will invest more in cybersecurity resources and technology over the next year.

The survey said that when companies focus on communication, compliance, and training, they address two central cybersecurity concerns: the evolving cybersecurity threat landscape and internal risk posed by employees.

Cybersecurity threats evolve with technology, the research said. Thus, the threat of attack is constant. The most effective way to combat perennial cybersecurity threats is to update and effectively communicate policy.

Some cybersecurity risk occurs unknowingly due to an absence of organizational communication and guidance for cybersecurity policies, an issue that is amplified by an evolving threat landscape. So, companies that excel at communicating policy are the most prepared for current and future cybersecurity threats.

Employees use of personal mobile devices and remote work are two factors that affect the level of internal risk at large companies, the research said. Employees who use personal devices to access work-related data or connect to unprotected WiFi networks put their company at risk. In fact, three of the top four mobile security concerns among large companies include open WiFi networks, unauthorized apps, and BYOD).  

Remote work makes using unsecured devices and networks more likely. The study finds that 89% of companies allow their employees to work remotely. Nearly three-fourths (74%) of companies also allow their employees to use personal devices for work.

Employees’ perception of their companies’ policies underscores the human resources component of cybersecurity, the research said: companies need to balance employee concerns with enforcing consequences for violating cybersecurity policy.

More than half of IT decision-makers (52%) describe the enforcement of their company’s policy as “moderate.”

While employees do not enjoy being monitored or punished for violating cybersecurity policy, and companies that prioritize enforcement over human interests risk damaging employee morale and company culture, the research said. It recommended finding a balance that allows employees to do their jobs without fearing company oversight, while understanding of the consequences for violating the policy, is the key to addressing human resources concerns of cybersecurity.

The survey also noted that more than 70% of businesses plan to invest more in cybersecurity over the next year.

One-third of respondents (33%) said investing in technology, such as security software, secure mobile apps, and other IT services, will improve their cybersecurity policy.

The improvement driven by investing in technology allows companies to experience the full benefits of a more effective cybersecurity policy. More than 60% said the main benefits of a cybersecurity policy are protection from external or internal threats.

Investing in technology brings protection from external threats, reduced internal threats, ensures compliance with policy and brings peace-of-mind to large companies, the research said.

Clutch’s survey also showed that cybersecurity policies of large US businesses focus on security protocol and data protection, two areas that echo global security concerns. These businesses view investing in technology as the key to protecting them from security attacks, particularly phishing scams.

However, large companies also face a human resources dilemma with their cybersecurity policies,  as they must balance the interests of their employees with enforcing their policy. The key to reaching this balance, according to industry experts, is effective communication and training.

If companies can reduce internal threats, they reap the full benefits of a cybersecurity policy, especially the protection from external threats, the research said.