A new survey by Clutch shows more than 90 percent of U.S. companies with 500-plus employees have a cybersecurity policy in place to protect them from both real and anticipated threats.

However, only two-thirds (66 percent) enforce those policies among employees, potentially leaving the door open to attacks.

Clutch asked more than 300 corporate IT decision makers about what to include in a cybersecurity policy, and found that security software, data backup and storage, and scam detection are the most common areas these policies cover.

Clutch’s Grayson Kemper

Grayson Kemper, content developer at Clutch, tells Channel Partners the most surprising finding was that respondents consider protection from external threats to be the primary benefit of a cybersecurity policy.

“This does not align with the consensus among both industry research and the owners of cybersecurity firms we interviewed that internal threats (i.e employees) pose more of a risk to companies than external threats,” he said.

Phishing is the most common cybersecurity attack large companies experience, with 57 percent of IT decision-makers reporting their company experienced a phishing attack in the past year, according to the survey.

More than 80 percent of IT decision-makers said they proactively communicate their company’s cybersecurity policy, policy compliance and training to employees. Experts contribute the dropoff in enforcement to the struggle companies face when balancing policy adherence with employee concerns. This suggests that some employees’ work experience may be affected by a strict employer’s cybersecurity enforcement policy, Clutch said.

“IT can learn that communication and policy improvements go hand-in-hand,” Kemper said. “They need to invest resources into creating reference documents that clearly communicate to employees what the security threats are to their company and how employees should approach those risks. The better employees understand policy, the less likely they are to violate it and put their company at risk.”

IT decision makers think the best way to improve their companies’ cybersecurity policies is to invest in technology. In support of that position, 71 percent said their company will invest more in cybersecurity resources and technology over the next year.

“These same companies also claim that increased investment would improve their cybersecurity policies the most of any singular effort,” Kemper said. “I believe this demonstrates that large firms recognize that to improve their cybersecurity, they must increase the amount of resources they devote to it.”