This years edition of the Scalar Security Study, conducted by IDC demonstrates that we are still in the infancy stage of cyber security maturity, but awareness of some of the issues and solutions are leading to progress.
Reported breaches are up 33% year over year. Canadian organization spent $4,800,000-$5,800,000 (up 57% from $3,700,000) to manage a data breach from start to finish. The adage that an ounce of prevention is worth a pound of cure applies well here considering most organizations would not end up spending that much on solutions to prevent or at least identify the breach.
What’s more important though is how much do these breaches cost the users? It cost organizations ~$2677 per user to recover from a breach. But when the data is Personally Identifiable Information (as it was in 25.1% of exfiltrations), credit and debit card, account information, health care data, or the myriad of other information that when stolen can affect the human beyond their lifetime (think identity theft), the cost is increased by order of magnitudes.
Where we really start to see the awareness and acceptance is when 87% of organizations surveyed reported at least one cyber security incident for the year. Those are the ones they found out about. It can be easy to identify a DDoS attack when your internet connection feels, and is, unusable. It’s easy to know you’ve been hit with ransomware when the adversary tells you about it on every system. It can be much more difficult when the adversary deliberately applies stealth at every step of the attack and is living in the environment for months ensuring they get exactly what they want.
Prevention capabilities have gotten so much better that we can again turn to detecting the small amounts of activity that slips through. All organizations surveyed are ~42% confident in their abilities to prevent attacks up front. This number has increased for small and medium organizations and decreased for larger ones. As better technology becomes more cost-effective for smaller organizations, they (and society in general) reap the benefits, while larger organizations are likely starting to exhaust the number of solutions they can implement and manage correctly. This is evident where respondents said they are only using 20% of Next Generation Firewall features today but will be using 57% in 3 years. We need to accelerate that timeline.
With the toolsets available I like to think about the attacks as being guided into a funnel. The NGFW should block 98%+ of all of the threats. The endpoint security solution should complement the NGFW (as opposed to doing more of the same thing) and prevent 99%+ of what is left. That is an excellent starting point. From there behavioural analytic solutions can systematically hunt for threats in the environment and find the snakes in the grass. And finally allow analysts to leverage detection and response tools along with threat intelligence to compare indicators of compromise to previously seen artifacts, allowing them to get to their resolutions quicker. There will be some other solutions that will be helping out like DLP and API security solutions but the aforementioned technologies are doing the majority of heavy lifting, and when implemented correctly will provide a great return on investment.
The fight for security in cyber space is the fight for privacy. We are fighting to keep our PII, financial, health, social insurance, ideas, thoughts, intellectual property, all private. Until there is a time where that data becomes immutable and/or anonymous and no longer matters to the individual that it has been exposed we need a way to keep it secured. We are feeling the looming threat against the internet of things that control our electricity, water, heat, cooling, food supply, and almost every form of travel. Not only has the adversary changed but the effects on society has changed.
I appreciate the authors using the term practice in the context of cyber resilience. There will never be an end to the problem of security. If someone (or thing) can make something, another someone (or thing) can break it. And they will. All we can do is keep practicing and evolving security from the development stage to the incident response stage and everything in between.