New research from Sophos suggests that two thirds of organisations were hit by a cyberattack last year. The report lists the three biggest reasons why organisations are still struggling to reduce their risk:
- Attacks are coming in from multiple directions
- Cyberattacks are multi-stage, coordinated and blended
- Technology, talent and time are in short supply
Here’s a closer look at what the researchers found – and what all of this means for IT managers and anyone looking to strengthen their cybersecurity career credentials.
Research findings in brief
Sophos commissioned an independent survey of 3,100 IT managers across 12 countries between December 2018 and January 2019.
Titled ‘The Impossible Puzzle of Cybersecurity’, the central message of the report is pretty clear: the game of cat and mouse between IT/Security professionals and cyber criminals continues unabated. Just as cybersecurity protection technologies are advancing, so too are the capabilities of threat actors – and overstretched IT/Security teams are struggling to stay on top.
Cybersecurity attack rates
68% of respondents said that their organisations were hit by a cybersecurity attack last year. Of those organisations that had been hit, the average number of attacks for the year was two. 10% of organisations had been hit by four or more attacks.
Nine in ten respondents whose organisations had been hit claimed to have up-to-date attack protection measures in place at the time of the attack. This provides a reminder of the need for organisations to operate in “assume breach” mode. In other words, you need to recognise that no matter how robust your perimeter protection, the risk of breach can never be completely eliminated.
What keeps security managers awake at night? When asked to rank the consequences of cybersecurity breaches in order of importance, here’s how they responded:
- Data loss. Almost a third of respondents placed this as their top concern – and more than two thirds had it in their top three. The message seems clear: to increase peace of mind, businesses need to ensure they are investing adequately in backup, recovery and data loss protection (DLP).
- Cost. 21% of respondents cited cost of response as the biggest concern arising from cybersecurity attacks. Research from elsewhere suggests that these costs are on the rise. Ponemon found that for small to medium-size businesses, the average cost of a security breach increased by 61% from $229k in 2018 to $369k in 2019.
- Business damage. 21% of respondents rated this as their top concern, while 56% listed it as a top three worry. PwC found that 85% of consumers will not do business with a company if they are worried about its security practices. The knock-on reputational effects of a significant cybersecurity attack can be at least as costly as the initial response costs.
Attacks from multiple directions
Email remains the most common attack vector, used in 33% of cases. The web comes a close second, used in 30% of attacks. 23% of attacks used software vulnerabilities as the means of entry, and 14% were launched via USB stick or other external devices.
For 20% of incidents, respondents were unable to identify the attack vector. This strongly suggests that effective incident response capabilities are absent in those organisations. As the report authors put it, “if you don’t know which security door has been left open, it’s hard to shut it”.
There are regional variations in the prevalence of these threat vectors. For instance, software vulnerabilities top the list for India, while a quarter of attacks in Mexico are via USB sticks/external devices.
Comment: Responding to the risk of attack from multiple vectors
The absence of a single, overwhelmingly popular vector shows that businesses need to take a multi-pronged approach to minimise the risk. This includes:
- Spam filters, page blockers and policies warning against clicking on links/attachments from unknown sources to reduce the likelihood of email/web-based attacks.
- Keeping on top of patch updates to reduce risks from software vulnerabilities.
- Where practical, physical port restrictions at endpoint level to deal with the risk of attacks being introduced via USB drives & devices.
The nature of attacks: Multi-stage, coordinated and blended
Respondents suggested that attacks they had experienced included the following elements:
53% Phishing email
41% Data breach
35% Malicious code
35% Software exploit
21% Credential theft
These figures (far in excess of 100% as a whole) suggest that most organisations are experiencing multi-faceted attacks. Examples include users being successfully targeted with phishing messages, triggering the launch of malicious code leading to unlawful systems access violation, giving rise to a data breach.
Companies are short of technology, time and talent
On average, IT departments devote 26% of their time to managing cybersecurity. This may seem like a significant chunk of resources, but evidence suggests that it’s not enough. A lack of specialist human resources is a major issue, with 86% of managers saying that they require greater cybersecurity skills within their organisation.
One way of addressing this is for organisations to look for ways to do more with less: examples include enhanced security information and event management (SIEM) capabilities and increased automation in areas such as patch management, backups and reporting.
Individuals have a big role to play, too – not least when it comes to seeking out training opportunities to bridge the skills gap. One thing is particularly clear: with eight in ten organisations saying they are struggling to recruit security talent, those individuals who are ready and willing to boost their cybersecurity skills portfolio are likely to find themselves increasingly in demand.