Continual advancements in the threat landscape make it increasingly difficult for organizations to stay ahead of cyber threats. Unique malware variants are exploding—growing 43% from Q2 to Q3 in 2018. At the same time, malware families shot up 32%, and the number of unique malware detections per firm expanded 37% over the same timeframe.
There are many reasons for this explosive growth. The bar for accessing malware is lower than ever due to the availability of Malware-as-a-Service and other on-demand services on the Darknet. Attacks have become multivector, concurrently targeting different points on the attack surface—from the campus network to the network edge, endpoints to applications, and on-premises data center to a multiplication of cloud services. Exploits have also become “living organisms,” employing polymorphic malware to circumvent the latest signatures and patches. The saying, “try, try, and try again” is an apropos philosophical model for many cyber-attacks.
It Is Inevitable—Intrusions Will Happen
Most organizations are reaching the conclusion that their cybersecurity strategies must not only account for prevention and detection but also remediation. Intrusions are inevitable, and boards of directors and CEOs are demanding cyber-resiliency—the ability to quickly mitigate and remediate a breach. Communicating potential consequences in terms of boards and business leaders understand enables them to make decisions that align with acceptable business risk. In this case, security leaders must measure the potential risk of a breach in terms of probability and cost.
Findings from the New Security Report by Scalar Decisions
Cyber resilience is the central issue Fortinet Partner Scalar Decisions, Inc. explores in its recent 2019 Security Study that was conducted by IDC Canada. Focused on small, midsize, and large organizations in Canada, the study confirms that intrusions are inevitable, and moreover a majority of organizations experience successful attacks—from operational disruptions to data theft, to brand degradation (e.g., 58% of surveyed firms admit data was exfiltrated in the past 12 months).
The report includes some rich insights that Canadian cybersecurity leaders can tap in developing their security strategies and plans for 2019—specifically their business continuity and disaster recovery capabilities following a successful cyber-attack.
1. Attacks Continue to be Pervasive and Increasingly Costly
The cost of a security incident is rising, jumping upwards of 57% over the past year—from C$3.7 million to as much as C$5.8 million—according to the study. Cybercriminals are becoming more effective once an intrusion is initiated. Here, Scalar found successful data exfiltration per intrusion rose 43% year over year.
The implications of this breach-cost spike are magnified due to a nearly 34% increase in breaches—from 9.33 to 12.47 per firm. Data seems to be in purview for many bad actors, with more than half of organizations reporting ransomware demands, encryption of data, and/or deletion of data as a result of a malicious intrusion.
2. Slow Time to Detection and Time to Response Amplify the Cost of Attacks
Whether we are talking about prevention, detection, or remediation, speed matters when it comes to cybersecurity. Not surprisingly, organizational confidence is much higher when it comes to time to detection versus time to response. Nearly half indicate they can detect breaches and infiltrations within hours. However, timeliness of response to breaches is significantly slower. While a little more than one-third claim they can respond to breaches in hours, more than half admit it takes them a week to respond. Almost one-tenth report it takes them upwards of one month to respond.
With the increasing attention boards and executives are paying to cybersecurity, one would expect almost every organization would have a codified incident response plan in place. And while two-thirds indicate they have written policies and procedures in place, one-third concede their plans are either informal or non-existent. Cybersecurity technologies and solutions seem to be failing end customers, as the amount of time legal and cybersecurity teams spent responding to intrusions increased over 20% in the past year—to an average of 19.4 days annually.
3. Technology and Compliance Factors Make Cybersecurity More Difficult
The encroachment of cyber-attacks and their detrimental repercussions on organizations are growing in scope due to multiple factors. As evident from the above, the growing volume, velocity, and sophistication of cyber threats are certainly pivotal. But non-threat landscape factors such as new and expanding industry regulations and security standards, a rapidly expanding attack surface, and a fragmented security infrastructure that lacks security visibility and control are just—if not more—important.
The Scalar report tags two phenomena working in tandem that make it more difficult for firms to defend against cyber threats:
- Increasing openness of organizational infrastructure to outsiders
- Growing exposure to legal and industry compliance requirements
Regarding the former, while the internet has always offered a point of access to enterprise computing infrastructure, the recent growth of specialized customer, partner, supply chain, financial services/payments, and employee remote access portals dramatically extends an organization’s attack surface. Further, many of these access points offer deeper intimacy into an organization’s business operations and data that adversaries can exploit.
As to compliance requirements, organizations must not only address the costs of achieving and demonstrating compliance with new and evolving regulatory regimes (the list is lengthy and includes the Canadian Digital Privacy Act, both the U.S. and Canadian versions of the Sarbanes-Oxley Act, and the European Union General Data Protective Regulation [GDPR]), but they also face serious penalties and fines for noncompliance. In addition to the above, many boards and executives are mandating adherence to one or more security standards such as the National Institute of Standards and Technology (NIST) or ISO27001.
4. Cloud Security Lags On-Premises Security
Cloud adoption is extending the attack surface while creating new silos that obfuscate security visibility and controls. And while the Scalar study finds that on-premises environments are attacked at about the same rate as cloud environments, it also uncovers that organizations are slower to patch their cloud deployments than those on-premises. Surprisingly, midsize and large organizations are slower in patching their cloud environments than small businesses.
One factor behind the slower security responses to cloud vulnerabilities may be related to the multiplication of clouds and their fragmentation when it comes to transparency and the ability to automate security controls across each of them. As to why larger organizations are slower to respond to cloud threats, the breadth of their cloud deployments is one possible reason, with the typical enterprise relying on an average of 62 different cloud applications.
5. Strategy Is Shifting from Protection to Detection and Response
Organizations expect to increase investments in new cybersecurity technologies that focus on finding and remediating threats faster, thereby decreasing the amount of downtime and impact resulting from security breaches. Top detection and response technologies where organizations plan to increase their investments over the next three years include:
- Data encryption
- Security information and event monitoring (SIEM)
- Next-generation firewalls
- User behaviour analytics
At the same time, security leaders plan to reduce their emphasis on traditional security tools, such as email security, endpoint protection, and identity and access management.
5 Key Takeaways for Security Leaders
Overall, the data within this report aligns with trends in other markets. The confluence of a threat landscape that is constantly evolving, an attack surface that is rapidly evolving, and security deployments and compliance requirements that are increasingly complex makes cybersecurity an extremely difficult undertaking.
The reality is that nearly no organization is immune to an intrusion and the potential operational disruptions and disablement and data theft. Thus, while prevention remains a key part of any cyber-defence strategy, detection and remediation are quickly becoming critical focus areas for many organizations.
These changes necessitate a new security approach, one that reflects the following core principles:
- Organizations with point security solutions must reevaluate their architectural approach in order to gain the speed required to keep pace with today’s threat landscape. A security fabric that integrates each of the technologies into a whole, enabling transparency and centralized policy controls is a requisite.
- Manual workflows and threat-intelligence sharing between different security elements dramatically ratchet up an organization’s risk posture. Time-to-detect and time-to-respond windows must dramatically shrink in order to stop many threats and to remediate when an intrusion does occur. Automation, which is only possible through an integrated security platform, is the linchpin. It is also just as critical when it comes to tracking, reporting, and demonstrating compliance with industry regulations and security standards.
- A reactive security posture is too slow and ineffective to stop many advanced threats. Security leaders must utilize security tools that provide them with real-time visibility across the entire attack surface. Additionally, a proactive security posture relies on real-time threat intelligence and its dissemination across and between each security element.
- To reduce the risk of threats and minimize the exposure of intrusions, security organizations need to employ intent-based segmentation that leverage business rules to segment the network, users, applications, and data.
- To combat increasingly sophisticated and intelligence threats that employ machine learning (ML) or even artificial intelligence (AI), security solutions must leverage the same advanced technologies. AI/ML capabilities can dramatically extend security capabilities—whether identifying unknown threats, minimizing false positives, or pinpointing potential user and endpoint threats.