The 2019 Scalar Security Study confirms the need for Canadian organizations of all sizes to have an accurate understanding of where they are exposed, how exposed they are, and what they can proactively do to reduce their Cyber Exposure gap.
The cost of a compromise is at an all-time high. Evolving threats are creating new opportunities for malicious actors. And cloud security is not keeping up with adoption rates. These are just some of the findings that caught our eye in the 2019 Scalar Security Study: The Cyber Resilience of Canadian Organizations.
The report confirms the need for Canadian organizations of all sizes to have an accurate understanding of where they are exposed, how exposed they are, and what they can proactively do to reduce their Cyber Exposure gap. Here, we highlight three key findings and offer our guidance on steps organizations can take to improve their cybersecurity strategy.
The Cost of Compromise Reaches an All-Time High
The average cost per organization of responding to and recovering from cybersecurity incidents increased significantly from $3.7 million last year, to between $4.8 million and $5.8 million this year, according to the report.
We believe it is time to rethink the approach organizations have traditionally taken to identifying and addressing flaws within infrastructures. The detect-and-response strategy cannot match the pace and persistence of attacks and, therefore, is not synonymous with conducting due diligence. With limited resources and visibility into how the malicious actors are infiltrating organizations today, the only way for organizations to keep up is by implementing a strategic approach to prioritizing their vulnerability responses.
Evolving Threats Create New Opportunities for Malicious Actors
Nearly 3% of attacks resulted in a successful exfiltration this year, versus the 2.1% reported in the 2018 Scalar Security Study. As new assets come online, new technologies are adopted, and malicious actors become more sophisticated in the ways they exploit vulnerabilities, organizations of all sizes will face increasing pressure to re-evaluate their cybersecurity strategy.
Improving your ability to prioritize how you respond to vulnerabilities is the first step. Tenable Research has found that organizations can dramatically improve their remediation efficiency and effectiveness by focusing on the 3% of vulnerabilities in their environment that have been or will likely be exploited. An effective cybersecurity strategy should no longer be focused on trying to patch all vulnerabilities as this can cause significant cost and effort addressing issues that only pose a theoretical threat. Rather, an effective strategy leverages data science, threat intelligence, and research to prioritize the vulnerabilities most likely to be exploited in an attack.
Of course, strategy and prioritization can only take you so far. If severe budget and resource constraints are hampering your organization’s ability to secure its entire attack surface, a viable option is to consider outsourcing security services to a managed security services provider (MSSP).
Cloud Security Is Not Keeping Up With Adoption Rates
More than 75% of respondents in the Scalar Security Study have either fully adopted cloud or are using a hybrid model of on-premises environments complemented by either Infrastructure-as-a-Service (IaaS) or Platform-as-a-Service (PaaS). Yet, the study found organizations are giving higher priority to their on-premises infrastructure, operating systems, and applications than to their public cloud environments.
With more than half of survey respondents reporting an attack against their cloud-based assets last year, complete visibility of on-premises and cloud infrastructure alike will be critical to staying ahead of malicious actors. Remember, today’s modern attack surface includes not only cloud assets but a host of legacy IT, operational technology (OT), Internet of Things (IoT), web applications and containers, all which must be discovered and monitored.
Modern asset types require a new approach to gaining visibility into the emerging attack surface, for example, “shifting left” into the development lifecycle of containers to identify vulnerabilities before they are deployed into production and leveraging passive approaches to gathering data on sensitive OT networks.
A Little Prioritization Goes a Long Way
Vulnerability prioritization has become a key area of focus for cybersecurity professionals in Canada. A successful prioritization plan will help you answer: Where should we prioritize based on business criticality of the assets affected? Which vulnerabilities are likeliest to be exploited? What should we fix first?
We recommend the following three-step approach to help drive better decision-making, reduce complexity, and ultimately mitigate cyber risks:
- Start with vulnerabilities that are being actively exploited. All vulnerabilities represent weaknesses, but exploitable vulnerabilities reflect real risk.
- Remediate vulnerabilities most likely to be exploited in the next few weeks. Predictive models provide insight into the likelihood that a given vulnerability will be exploited based on certain characteristics (e.g., past threat patterns, NVD data as well as threat intelligence).
- Address assets tagged as business critical. Critical assets are worth attending to since an attack on them could have broadscale effects on the business. Assets open to the internet should also be of particular concern as they are more often targeted by automated campaigns.
The above approach will dramatically reduce the list of vulnerabilities you need to remediate, enabling you to gain structure and control as you strive to close your organization’s Cyber Exposure gap.