Keeping up with the ever-evolving threat landscape is an arduous undertaking. Regardless of the size of your organization—small, medium, or large—the dangers are real and present.
The digital transformation sweeping across most businesses exacerbates the challenges of security. The attack surface is dramatically broader (and still growing) as a result of cloud adoption, growth in Internet of Things (IoT), and mobile, while cybercriminals are becoming increasingly sophisticated in their attacks as they become more polymorphic and increase in volume and velocity. Findings in Fortinet’s latest quarterly Global Threat Landscape Report certainly corroborate the fact that it is becoming more and more difficult for organizations to protect their network, applications, users, and data. For example, in just this last quarter, exploit detections per firm increased 82% over the previous quarter, malware families grew by 25%, and unique variants rose by 19%.
The recently released 2018 Scalar Security Study from Fortinet Managed Security Services Provider (MSSP) Partner Scalar Decisions supports these findings. Commissioned by Scalar Decisions to perform and publish the research, IDC Canada surveyed cybersecurity postures and programs at 400+ Canadian small, medium, and large enterprises. One of the key takeaways in the report is the growing intensity of attacks. For example, the average company finds itself under attack by hackers more than once a day, while 87% of the respondents admitted they have suffered at least one successful breach in the past 12 months.
A deeper drill down into the report reveals some additional takeaways worth mentioning:
1. Economic Loss-Repair Cost Ratio
Of those organizations reporting security breaches (87%), 79.6% of them classify them as “high impact” (and only 20.4% as “low impact”). With the average cost of a breach tagged at C$3.7 million, this tallies into a huge expenditure. A breakdown of this number shows a 15:1 ratio between economic losses and repair costs: C$3.5 million for system downtime, employee productivity losses, record compromises, and sensitive personally identifiable information (PII) data as compared to C$215,000 for repair and remediation after discovering a breach.
This is a substantial cost-benefit (or economic loss-cost) ratio—namely, it is much easier and cheaper to patch vulnerabilities than to wait for the repercussions of an exploit to occur. For example, also in a quarterly Global Threat Landscape Report, Fortinet found that 90% of firms recorded exploits against vulnerabilities that were older than three years. In the same report, 60% experienced an exploit for which a patch has been available more than 10 years. It is on the subject of patching that the Scalar Decisions report reveals more granularity:
- Organizations are fairly prompt in patching and updating PCs (70%) and smartphones/mobile devices (81%) within a week of initiating a change action
- Timeliness deteriorates sharply, however, for patches and updates to on-premises databases, applications, and servers (13% within one week, 71% within one month, 15% within one year or more); web applications (11% within one week, 30% within one month, 59% within one year or more); network equipment (12% within one week, 59% within one month, 29% within one year or more), and public cloud resources (12% within one week, 22% within one month, 66% within one year or more)
2. Organizational Size and Impact
Another interesting finding in the report is that breaches cost smaller firms more than large ones: C$13,000 per employee for small firms, C$3,700 per employee for midsize firms, and C$755 per employee for large firms. One reason may be the nature of the data; small firms classify 61% of compromised data as sensitive as compared to 41% at medium sized and large companies.
Combined with the fact that small firms are limited in the number of security technologies and services they can use and the number of security staff they can hire, they present an easier and broader target for cybercriminals (e.g., large organizations detect breaches 40% faster than small firms). In this case, small businesses (and for that matter organizations of any size) need to ensure their security architecture doesn’t resemble a piecemeal set of point products that lack integration and incur substantial time managing. Rather, they require security solutions that deliver a high price-performance ratio while providing tight integration that unlocks automation.
3. Transparent Visibility and Controls
Enterprise-wide visibility and policy controls are a problem (viz., lacking) according to the report. This is evident in multiple ways:
- 96% say they inventory IT assets in their domains, but only 43% indicate that they can do this across their entire IT estate
- 98% say they work to actively discover and assess security vulnerabilities, but only 69% report that they perform this over their full infrastructure
- 87% assess potential business impacts of data loss, but this typically covers 31% of their organization
- 85% deploy security solutions, but only 29% are confident that these reach all vulnerable assets in their sphere of responsibility
The need for visibility and control across the entire IT infrastructure and assets is critical. Without such, organizations find themselves in a reactive security mode and expend valuable time and resources trying to gain transparent visibility and control by compiling manual logs and other time-intensive tasks.
4. Preparedness: Risk Assessment and Incident Response
The stark reality is not if an organization will be hacked but rather when. The sophistication and fast-changing dynamics of the threat landscape make it virtually impossible for an organization to avoid being hacked. As a starting point, organizations must understand their security risk posture. In the Scalar Decisions report, survey respondents with a security risk plan suffer an average of 32% fewer breaches than counterparts without one.
But simply understanding your risk isn’t enough. You must also institute and document an incident response plan. Yet, there are some significant gaps here:
- 39% of small firms and 17% of midsize firms either have no or an informal security incident response plan
- While the majority of firms (small, medium, large) have documented incident response plans, almost half—in all three instances—fail to update them regularly
The upside is that with the combination of the right technologies and processes, organizations can quickly identify and eliminate intrusions—either eliminating or minimizing their impact. However, without the right incident response plan, organizations exacerbate the effects of a malicious intrusion and breach. Proof is in the data of the survey; those with a documented, updated incident response plan spent half the money and 20% less staff time responding to and recovering from breaches.
5. Top Threat Concerns
Organizations exhibit close agreement in their perceptions of threat priorities. The top 10 threats in order of decreasing perceived prevalence and urgency include:
- Insider/Malicious Employees (63%)
- Cloud Security (63%)
- Public Exposure of Customer Data (62%)
- Data Not Being Backed Up (40%)
- Internet of Things (IoT) Security (37%)
- Security-Related Downtime of Business-Critical IT Resources (34%)
- Mobile Threats (28%)
- Hacktivism (21%)
- State Sponsored Attacks (19%)
- Ransomware (15%)
As is immediately obvious, there is a dramatic drop off between the top threat concern and the last one on the list. Organizations dismal assessment of their cybersecurity awareness training programs confirm why Inside/Malicious Employees rank #1 (employees fail to update PC and mobile device operating systems and apps for 71% of the firms surveyed, only 41% train employees on the sensitive handling of data, and 74% do not train their employees on how to recognize phishing, spam, and social engineering attacks). The challenges associated with an expanded attack surface are also reflected in the findings (cloud security at #2, IoT at #5, and mobile at #7).
Navigating the Threat Landscape
Nothing is static when it comes to the threat landscape. Navigating this dynamic and often complex environment can be quite challenging, particularly when dealing with finite resources and budget. Indeed, threats are not only growing in number, but they also are becoming more sophisticated. Cybercriminals can purchase malware-as-a-service solutions that enable them to launch attacks in minutes and hours rather than weeks or months. Attack vectors are increasingly polymorphic, whereby attacks target multiple vulnerabilities at the same time and utilize file-less malware that is not memory dependent. The list could go on.
Scalar Decisions’ assessment of the cybersecurity readiness of Canadian organizations shows they are not immune to these challenges. Attacks are becoming more frequent and costly, pushing organizations to rethink traditional approaches to security and to transition to advanced threat protection capabilities.