Phishing attacks were by far the biggest security threats faced by Australian businesses during 2018, according to a new survey that confirmed companies continue to be under siege from ransomware, business email compromise (BEC) and password compromise attacks.
“Phishing by far remains one of the biggest threats that we typically observe,” reported one respondent to a recent survey conducted by CSO & LogRhythm - The CSO Security Capabilities Survey 2019, which polled 100 Australian information-security leaders between February and April.
Ransomware, which is usually installed as a result of a phishing compromise, was called out as being particularly worrisome.
“I get the cold sweats just thinking about this plague on the world,” one respondent admitted. “It is still, in my opinion, the worst threat to our systems and by far the most damaging.”
Despite such fears, the survey revealed that Australian security leaders are struggling to keep up with a rising climate of cybersecurity compromise, often taking weeks to detect – much less deal with – security breaches.
Some 54.7 percent of respondents said they were able to detect their last security incident within hours and 23.2 percent said it took just minutes to detect. Yet a further 15.8 percent said it had taken them up to a week to detect their last security incident – and 6.3 percent had taken longer than that.
These delays raise serious issues for Australian businesses, which since the introduction of the Notifiable Data Breaches (NDB) scheme in early 2018 have been under legal obligation to detect and report on breaches as quickly as possible. After all, if entities cannot detect and evaluate a data breach quickly, the protections put in place by the Privacy Act and NDB scheme offer little chance of remediating the damage those breaches cause.
Skills and people – real or virtual
Yet with obligations around reporting and compliance continuing to increase, many organisations are struggling to get any more performance out of staff that are already stretched to breaking point.
Despite strategies for managing and leveraging security staff, qualified security people are increasingly difficult to attract and hire, and are being increasingly overworked as the cybersecurity threat steadily escalates.
“People can only respond to so many threats,” one respondent noted, “however this is unscalable.”
This dynamic had pushed security practitioners to review their processes and implement drastic measures to keep abreast of threats.
Fully 52.1 percent of respondents said they are streamlining their security technologies to reduce the complexity of their environments for their people, and most of those – 48.9 percent – were turning to automation to help their staff move away from security monitoring to focus on other tasks.
Less than 1 in 3 respondents said they were focused on hiring the best talent to manage their security staff – reflecting the complexity of getting good security staff in today’s market.
Others said they were variously focusing on managed services, careful application of software updates, application of security awareness programs, implementation of “proper” incident response plans, and extensive training and upskilling of their people.
The promise of AI and automation
Automation has been increasingly flagged as being crucial for rapid detection and response of cybersecurity incidents, and the survey revealed that Australian companies are still at a broad range of maturity levels when it comes to adopting the capability.
Around half of respondents said they had applied automated incident detection and response (IDR) to less than half of their infrastructure, while 15.8 percent said they had successfully rolled out automated incident detection and response capabilities across their entire infrastructure.
Automation has long been identified as a crucial capability for helping businesses scale up their cybersecurity efforts, with IDC adjunct research analyst Mike Chapple noting that the increasingly important capability “serves as a force multiplier by taking routine tasks off the plate of the cybersecurity team and allowing specialists to focus their effort on adding higher-level value to the organisation.”
Some respondents were well aware of this, citing the importance of using AI to reduce workloads on existing staff.
“These tools can provide automated rule sets to determine what course of action can be taken in emergency situations, and identify any toxic combinations of access,” one respondent said. “It is an uphill battle to ensure that these tools are correctly configured and up-to-date.”
Yet adoption of automation is still in its early days: 17.9 percent of the survey respondents said they had only deployed automation to less than half of their infrastructure, and 13.7 percent had not yet rolled out automated IDR at all. This suggests there is still a long way for Australian businesses to go when it comes to deploying the cybersecurity scalability to match the growing demands of digital transformation.
“Data security is an important element of all types of business,” one respondent said. “Entities must also implement appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected information.”
“In addition, the digital transformation is essential for all organisations if they wish to survive in a highly competitive market.”
Budget – and getting enough of it
With many competing priorities and challenges, CISOs must continually walk the line between security and insecurity. In the past, this has often been a lonely path – but with increasing recognition of cybersecurity as a business priority, many security practitioners report greater involvement from executives and budget increases that come with it.
A key goal for 2019, one respondent said, was “board awareness to spend money instead of being ignorant around company threats.”
Some companies were already responding with stronger support – fully 44.2 percent of respondents said their security budgets would increase by 5% or more in 2019 – although an almost equal percentage (46.3 percent) said their budget would stay the same. A few reported budgets that were increasing by 15 percent, 30 percent, or even doubling – suggesting a sudden heightened awareness of the increased risk that businesses now face.
Asked what risks they face this year, respondents offered a bevy of concerns.
Commonly identified issues such as malware and zero-day threats, identity theft, business email compromise, data loss, poor patching, credential theft, and data exfiltration were frequently named.
However, respondents also cited concerns with a growing risk of nation state-sponsored attacks; web site hacks leading to theft of customer information; man-in-the-middle WiFi attacks; cryptojacking; cloud security breaches; malicious mobile apps; insecure third parties; and Internet of Things devices.
“Attackers will live off the land using inbuilt tools to avoid whitelisting and malware detection,” one respondent said, noting that they expected “more attacks against web applications and users to obtain a foothold or credentials.”
The broad spectrum of responses confirms that security executives are facing a steady onslaught of attacks that target access credentials, weaknesses in devices, and potential weaknesses in the extended connectivity chains that cloud computing and managed service provision have created.
“Cyber attacks are increasing and data theft has been a trend in the IT industry,” one respondent said. “Data breaches are being done from inside the organisation as well, thereby compromising the company’s stake in the market. Disaster is a key potential threat for the company.”
Automation was flagged as a particular threat, since it allows compromises without even requiring human effort on the attacker’s side: one respondent said they were worried about “automated malware workflows that pursue phishing and credential abuse to implement BEC, lateral movement, ransomware and data exfiltration.”
Controlling this would expose businesses to inadequate processes for “managing identity and cloud security,” yet another respondent noted, “as there is a continued push to move services to the cloud, and support not only internal colleagues but data sharing overseas, between third party vendors, and clients. All the while, ensuring that the right people are getting access to the right content, and privileges/access rights are not being exploited.”
Eyes on the prize
That’s a tall order for any security executive – but it has become the everyday challenge as a growing climate of complexity rewrites the rules of security.
Asked how they would meet the threats they face in 2019, respondents were reaching into every corner to find the technologies and skills they would need to most effectively fight the battles ahead of them.
Better email and Web security gateways, AI-based endpoint security systems, stricter control over user access rights, SIEM systems, application whitelisting, tools for secure coding, and offline backups were just a few of the tools being eyed off as critical for improving the organisations’ cyber protections.
Yet for all the importance of security technology, one of the most consistently cited goals for this year was to improve user education, training, and engagement – to all staff.
Many respondents cited the need for better awareness or more awareness, while one respondent said it was important to have “more focus on making it real” for users.
“We need a security awareness training package that actually engages people,” one respondent said, “and doesn’t make them focus on what to click to finish.”
The CSO Security Capabilities Survey 2019 was conducted by CSO & LogRhythm to help us get a better understanding of our level of Capabilities in the ever-evolving threat-landscape that is Cyber Security.