Nearly all security executives anticipate being attacked online this year but nearly half believe their cybersecurity team lacks the resources to address anything beyond simple security issues, according to new ISACA research that reinforces the growing risks posed by an increasingly-expensive cybersecurity climate.
ISACA’s 2017 State of Cyber Security study found that while most organisations are cognisant of the risks around cybersecurity compromise – in particular from Internet of Things (IoT) devices, which for the first time passed mobile technology as the biggest area of cybersecurity concern – many are doing little or nothing to bolster their defences.
Only 31 percent of surveyed organisations said they routinely test their security controls, while 13 percent admitted they never test those controls and fully 16 percent don’t even have a response plan to test.
“There is a significant and concerning gap between the threats an organisation faces and its readiness to address those threats in a timely or effective manner,” Christos Dimitriadis, ISACA board chair and group head of security at INTRALOT, said in a statement. “Cyber security professionals face huge demands to secure organisational infrastructure, and teams need to be properly trained, resourced and prepared.”
Many executives, however, readily recognise that they are anything but prepared: although 62 percent of companies reported experiencing a ransomware attack during 2016, just 53 percent have formal processes in place to deal with those attacks – leaving them outclassed and outgunned in the wake of attacks like the self-propagating WannaCry, which infected several hundred thousand European computers before largely fizzling out in the US and Australia.
That ransomware attack served as a potent reminder for security professionals that have been reminded almost constantly that the attack was entirely avoidable.
Yet fully 37 percent of Australians, in a survey of 492 consumers conducted by security vendor WatchGuard Technologies at last month’s CeBIT conference in Sydney, said they weren’t certain if they were protected at all against ransomware; fully 46 percent said they knew of an organisation that had been hit by such an attack.
“Cybercriminals may well take ransomware to the next level in the second half of 2017 and it’s only a matter of time before self-spreading ransomware – ransomworms – begin to wreak havoc,” WatchGuard ANZ regional director David Higgins said in a statement.
“By taking a comprehensive and multi-layered approach to security, organisations can reduce the likelihood they will fall victim to malware a
ttacks and avoid the disruptive and potentially costly problems they can cause.”
Fully 45 percent of ISACA respondents said that disruption of service was attackers’ primary motivation this year, reinforcing the importance of companies working to minimise their exposure to attacks.
That exposure causes more than hand-wringing for overworked CISOs: time is money, as confirmed by a recent Aberdeen Group-McAfee analysis of attack costs.
Responding twice as quickly to data breaches can lower the business impact by about 30 percent, the analysis concluded, while bring twice as fast at threat detection and incident response can lower the business impact of an attack by 70 percent.
“Enterprises need to recapture the advantage of time when it comes to security risk,” report author Derek Brink, a research fellow in information security with Aberdeen Group, advised while recommending that businesses focus on capabilities designed to reduce the likelihood and business impact of attacks; maintain the productivity of users; and increase the productivity of defenders.
Yet making this happen requires extensive investments in training – and ongoing cybersecurity education carries its own costs. ISACA figures suggested that 32 percent of companies are spending from $US1000 ($A1330) to $US2500 ($A3325) per security professional per year. A quarter spend less than $US1000 per year.
Recognising the need for higher-level skills to better manage the threat, many businesses are finally appointing formal CISOs to spearhead the defence: fully 65 percent of organisations ISACA surveyed had a CISO in 2017, up significantly from the 50 percent that had such an executive in 2016.
This is an “encouraging sign” that “demonstrates a growing leadership commitment to securing the enterprise,” Dimitriadis said. “But that’s not a cure-all.”
“With the number of malicious attacks increasing, organisations can’t afford a resource slowdown. Yet with so many respondents showing a lack of confidence in their teams’ ability to address complex issues, we know there is more that must be done to address the urgent cyber security challenges faced by all enterprises.”