A new survey shows that only three out of 10 organizations claim to be highly effective at cybersecurity—but the best share certain traits.
Every year, assaults on the world’s technology infrastructure continue to mount. And as last year’s widely publicized cyberattacks demonstrate, they can have serious real-world consequences.
Zero-day exploits like Log4Shell are targeting code libraries deployed by millions of organizations, allowing attackers to remotely control victims’ web servers. Advanced persistent threats (APTs) lurk inside corporate networks for months, quietly gathering intelligence and siphoning away sensitive data before they’re detected. Direct attacks on silicon, like the Spectre and Meltdown exploits, can evade traditional anti-malware software.
The numbers tell a grim story. Cyberattack-related data breaches in the U.S. increased 27 percent in 2021, according to the Identity Theft Resource Center. The average cost of an enterprise breach now exceeds $4 million, per a study by IBM. Palo Alto Networks’ Unit 42 consulting group reports that the amounts demanded by ransomware authors surged by more than 500 percent in the first half of last year.
What hasn’t grown in equal measure is our collective response. A new survey reveals that our ability to defend our technology infrastructure is not keeping pace with the volume and sophistication of attacks.
Survey highlights effective security strategies
In a biannual study sponsored by Hewlett Packard Enterprise, Ponemon Institute surveyed 1,848 technology and security practitioners across North America, the U.K., Germany, Australia, and Japan. While the answers suggest an industry that is falling behind in its battle against cyber adversaries, the report highlights several best practices enterprises can adopt to improve their security posture.
Some of the key findings:
- Just 30 percent of respondents rate themselves as highly effective at dealing with the current threat landscape, virtually unchanged from a similar survey conducted in 2020.
- Only 35 percent of respondents are confident that their networks have not been breached by an APT or similar attack.
- Even among those who rated their organizations as highly effective, just 47 percent are confident that their networks have not been compromised.
The most striking difference between the best and the ordinary? Two-thirds of the top organizations claim to have visibility and control over every user and device connected to their networks, while only 20 percent of the rest can make the same assertion.
“In general, organizations are reactive rather than proactive,” notes Chris Olson, CEO of The Media Trust, a digital security, trust, and safety platform. “The status quo is good enough, and it will remain good enough in the minds of relevant decision-makers until revenue loss and negative publicity change the cost-benefit analysis.”
Clearly, most organizations need to do more. Fortunately, the Ponemon report identifies four essential steps all of them can follow.
Learning from the best
Organizations that have invested in the technology and training needed to shrink their attack surface have done better than most. These high-performing enterprises have four key characteristics in common.
They’ve implemented a zero trust framework
A key differentiator between high-performing security organizations and the rest is the embrace of zero trust architecture. A zero trust model assumes a network has already been breached or that a breach is inevitable. It requires continual verification of users and devices to eliminate the ability of adversaries to move inside the network after they’ve gained access.
Earlier this year, for example, the White House Office of Management and Budget released its strategy for moving the whole of the federal government toward azero trust model.
Yet, despite the clear advantages of zero trust, just 38 percent of survey respondents say they have implemented all or part of a zero trust framework. Only about a third are confident that they know the identity of all users and all devices connected to their networks.
Among the highest performing organizations, however, the number adopting zero trust jumps to 64 percent. Similarly, 56 percent of top-tier companies believe threats from inside the network have the potential to do the greatest harm, versus 45 percent of all others.
With attacks growing exponentially, enterprises should no longer treat employees and other insiders as innocent until proven guilty, says Hed Kovetz, CEO of multifactor authentication firm Silverfort. “The physical borders of the corporate network are becoming irrelevant due to the cloud, IoT, and BYOD,” says Kovetz. “We can no longer assume insiders can be trusted. We can’t trust anyone.”
They’ve automated their security response using AI
Not surprisingly, more mature security organizations are more likely to deploy automation to protect their networks and are seeing greater benefits as a result.
High performers find automation most useful in identifying attacks before they do damage (78 percent), reducing false positives that waste valuable time for analysts (74 percent), and implementing zero trust models (71 percent). Other companies land in the 50 to 55 percent range for all of these categories.
A primary component of automation is the use of AI and machine learning. More than half of all respondents say AI and machine learning are essential for detecting attacks on the inside before they do damage. Yet, overall, the use of AI in cybersecurity has remained relatively unchanged since 2020, with only a third of all companies surveyed deploying it at least partially.
The good news is that 42 percent of companies say they’re planning to implement AI as a key part of their cybersecurity strategy in the future.
“Leveraging AI is almost a must-have for combatting today’s cybersecurity risks,” says Aimei Wei, founder and CTO of threat detection and response platform Stellar Cyber. “With the attack surface increasing rapidly and the amount of data to be monitored and examined growing exponentially, rule-based and manually operated systems simply can’t keep up.”
They’re working to mitigate IoT vulnerabilities
Securing IoT devices remains a huge headache for IT organizations. As theMirai botnet attacks demonstrated, even simple devices such as IP cameras and air quality sensors can be weaponized to take down entire sectors of the internet.
Nearly three quarters of the Ponemon study’s respondents (73 percent) acknowledge that legacy IoT devices are more difficult to secure, an increase of 4 percent over the previous survey.
Less than one in four organizations believe their organization’s IoT devices are properly secured. Even simple devices such as sensors pose a real threat to organizational security, according to nearly six out of 10 respondents.
Again, the difference between the top organizations and the rest is stark. Eighty-five percent of top-tier companies believe that identifying and authenticating IoT devices is crucial to their security strategy, and 40 percent have already done so. The numbers for lesser organizations are 55 and 15 percent, respectively.
Overall, more than half of organizations surveyed believe new solutions will be needed to secure devices at the edge.
They understand the importance of security to digital transformation
More than three quarters of the best-performing organizations understand how important security is to the success of their digital transformation initiatives. By contrast, just over half of other enterprises have achieved that understanding.
Overall, more than six out of 10 organizations say the biggest challenges to their transformation efforts are avoiding data breaches, limited unauthorized access to data and applications, and complying with data privacy regulations.
“It should be clear by now that any organization contemplating a digital transformation needs to be following a ‘secure by design’ approach to security,” says Simon Leech, senior adviser for security and risk management at HPE Pointnext Services. “By addressing security up front in a digital transformation, both costs and timelines will be reduced, and efficient threat modeling will help to redefine the customer experience into something that reduces overall risk.”