New and evolving threats combined with persistent resource challenges limit organisations’ abilities to defend against cyber intrusions, according to the second installment of ISACA’s 2017 State of Cyber Security Study.
80 per cent of the security leaders who participated in the survey believe it is likely their enterprise will experience a cyber attack this year, but many organisations are struggling to keep pace with the threat environment. More than half (53 per cent) of survey respondents reported a year-over-year increase in cyber attacks for 2016.
Changing threat entry points and types of threats:
1. IoT overtook mobile as primary focus for cyber defenses as 97 per cent of organisations see rise in its usage. As IoT becomes more prevalent in organisations, cyber security professionals need to ensure protocols are in place to safeguard new threat entry points.
2. 62 per cent reported experiencing ransomware in 2016 but only 53 per cent have a formal process in place to address it—a concerning number given the significant international impact of the recent WannaCry ransomware attack.
3. Malicious attacks that can impair an organisation’s operations or user data remain high in general (78 per cent of organisations reporting attacks).
Additionally, fewer than one in three organisations (31 per cent) say they routinely test their security controls, and 13 per cent never test them while 16 per cent do not have an incident response plan.
Christos Dimitriadis, ISACA board chair and Group Head of Information Security at INTRALOT says: “There is a significant and concerning gap between the threats an organisation faces and its readiness to address those threats in a timely or effective manner. Cyber security professionals face huge demands to secure organisational infrastructure, and teams need to be properly trained, resourced and prepared.”
The cyber security resource problem
This year’s survey respondents indicated that, while cyber security is a priority for enterprise leadership, roadblocks facing cyber security professionals remain.
The good news: more organisations than ever now employ a chief information security officer—65 per cent, up from 50 per cent in 2016.
However, security leaders continue to struggle to fill open cyber security positions, as indicated by this year’s State of Cyber Security report, and nearly half (48 percent) of respondents don’t feel comfortable with their cyber team’s ability to address anything beyond simple cyber security issues. Additionally, more than half of all respondents say cyber security professionals lack an ability to understand the business.
Cybercrime cost $650 billion in 2016
IDC analysts estimate that in 2016 cybercrime cost the world economy $650 billion, and by 2020 this number will reach more than $1 trillion.
Sergey Ozhegov, CEO of information security company SearchInform, told AMEinfo: “The Middle East has experienced a large volume of cyber attacks over the last year, followed by many covert threats highlighting the need for proper security.”
Similarly, experts noted that cyber-attacks will acquire a ‘physical’ nature, where five per cent of information crimes will lead to either destruction of data, or damage to physical resources or infrastructure.
Training is critically needed
Though training is critically needed to address these skill shortages, one in four organisations have training budgets of less than $1,000 per cyber security team member. The ISACA report says that while overall cyber security budgets remain strong, fewer organisations are increasing their budgets this year. About half will see budget increases, down from 61 per cent in 2016.
Dimitriadis said: “The rise of CISOs in organisations demonstrates a growing leadership commitment to securing the enterprise, which is an encouraging sign. But that’s not a cure-all. With the number of malicious attacks increasing, organisations can’t afford a resource slowdown.
“Yet with so many respondents showing a lack of confidence in their teams’ ability to address complex issues, we know there is more that must be done to address the urgent cyber security challenges faced by all enterprises.”
Cyber criminals changing attack strategies
Highlighting the change in cyber-criminals’ focus from attacking technical vulnerabilities to now exploiting user behaviour, SANS Institute, in its survey titled ‘SANS 2017 Endpoint Risks and Protections’, found that browser-based attacks and social engineering are now the two most powerful techniques targeting organisations. Both techniques prey upon users as their initial point of entry.
Ned Baltagi, Managing Director, Middle East & Africa at SANS said: “Cyber criminals are going after the weakest link – the employee. Unfortunately for organisations, this means that even after they have invested heavily in IT security technologies, poor security awareness among employees can still result in their systems being breached
“Social exploits are becoming more sophisticated than ever before and even employees with the best intentions, can severely compromise the cyber security of their organisation.”
While users represent the top target leveraged by attackers, vulnerabilities such as misconfigurations or software flaws were also commonly leveraged in attacks against the endpoints, ranking as the third most common source of significant compromise, according to survey respondents.
Such vulnerabilities have been responsible for a number of large-scale attacks including the very recent and infamous WannaCry which is considered to be the most successful ransomware campaign to date.