#1254609: The Path to Cyber Resilience: Takeaways from the Scalar 2019 Security Study
The annual Scalar Security Study, published in February 2019 and conducted by IDC Canada, identified a new normal across the threat landscape: cybersecurity incidents, be it exfiltration, infiltration or denial of service, occur on a regular basis. Focused on small, midsize and large organizations in Canada, the study confirms that intrusions are inevitable and moreover that a majority of organizations experience successful attacks.
To address this, the focus of the Canadian organizations’ cybersecurity efforts is shifting from an emphasis on protection against attacks to improving the detection of malicious actors on the network and responding to and recovering from incidents as quickly as possible.
According to the report, organizations need to become cyber resilient, meaning that they should emphasize on the importance of business continuity and the need to return to normal operations and a trusted state after an incident has occurred.
One key finding of the report is that the cost of compromise is at an all-time high. Although the average number of attacks per organization per year has declined (from 455 to 440 per organization), the average cost per organization of responding to and recovering from cybersecurity incidents has increased significantly (from $3.7 million to between $4.8 million – $5.8 million).
The major reason behind this increase is the fact that detection and response times are too slow. This is due to deficiencies in planning for cybersecurity incident response and recovery back to trusted state. These deficiencies also result in unrealistic expectations for the time required to recover. Interestingly, even compliance with the basic cyber resilience practices has a positive impact on recovery time.
Another key finding is that the attack surface of the Canadian organizations is expanding exponentially because of remote access to corporate networks. This creates new opportunities for malicious actors to succeed in their nefarious plans. In addition, most Canadian organizations have to comply with three or more government or industry regulations. These relate to data or privacy (such as PIPEDA/Digital Privacy Act, SOX or GDPR).
Canadian organizations are adopting cloud solutions to migrate their infrastructure. These cloud security strategies are not keeping up with the adoption rate. Less than 60% of organizations update their public cloud environments within a week of patch release. This leaves them vulnerable to targeted attacks conducted by malicious actors.
Last but not least, the security strategy of the Canadian organizations is shifting from protection to detection and response. Although traditional perimeter and endpoint security solutions will continue to be deployed, they are beginning to be complemented by AI, machine learning and new detection techniques. These three forces are key enablers for enhancing Canadian organizations’ security posture.
The main conclusion of the report is that Canadian organizations are still too confident in their capabilities to successfully defend against cybersecurity attacks, but the ever-growing significance of cybersecurity breaches occurring on a regular basis has made organizations rethink their cybersecurity strategies. This shift in security behavior is expressed by the adoption of technologies, leveraging artificial intelligence and machine learning that can more proactively detect malicious activity on networks and devices.
Despite that change, many organizations have deficiencies in how they handle the security risk created by people and inadequate cyber security planning. Organizations that understand cyber resilience and take a holistic approach suffer far fewer security incidents and significantly reduce the costs associated with them.
Discussion on the findings
The report identifies that most organizations are barred from performing timely patching or software updates. To be fair, patching continues to be a difficult challenge for organizations of any size. Even with the best intentions, there are significant obstacles that delay patching. If we want to be precise, the decision to either roll out, unroll or disregard a specific patch falls within the larger context of vulnerability management. This is a security practice designed to proactively mitigate or prevent the exploitation of vulnerabilities.
Vulnerability management is more than just getting alerts whenever your infrastructure needs a patch applied. It is about making informed decisions and properly prioritizing what vulnerabilities to mitigate and how. This is achieved by embedding internal hooks for telemetry into all systems of interest as well as external hooks for threat intelligence from all sources. Vulnerability management has to be backed up by good threat intelligence that provides a deeper understanding of how and why threat actors are targeting certain vulnerabilities and ignoring others. Intelligence on vulnerability exploitability prepares your organization to strike the correct balance between patching vulnerable systems and interrupting business operations.
TOP THREE ORGANISATIONAL CONCERNS
The report also mentions that the top three organizational concerns relating to security posture are about the end-user risk. Specifically, untrained staff who may result in insider threats, mobility threats and confidential and sensitive data not being backed up. Unfortunately, the human factor is still a security program’s weakest link since nearly half of the companies surveyed do not conduct formal security training to help employees identify scams such as phishing or how to properly care for sensitive data. Although there are various technological advances for behavioral analytics, organizations should not be over-reliant on technology. User awareness programs should be developed in a manner that promotes cybersecurity culture as an integral part of the organizational culture.
THE GOLDEN TRIANGLE OF CYBERSECURITY
This brings into discussion the Golden Triangle of cybersecurity: technology, people and processes. Many companies have invested heavily in acquiring technology to detect intrusions; however, they have not invested in training staff to properly configure and update these systems or align the tools with a larger security strategy. On the other hand, the lack of streamlined processes overload security teams with repetitive tasks and false positives. Once properly identified, these can be carried out by automated security orchestration solutions.
The use of such automation solutions, leveraging the power of AI and machine learning, will free up time for the security teams to detect intrusions. The Scalar security study highlights just this. There is a need for a change of attitude and for developing people and process to streamline workflows and even automate some of these functions.
Speaking about processes, it is also interesting to note that updates to existing incident response plans occur following a security incident or because of changes to industry standards or government legislation. Considering the cost of a security breach, this is one area that really cannot afford to be neglected. There are many excellent reasons to update an incident response plan, but less than 40% of organizations are completing these updates.
INCIDENT RESPONSE PLANS
Organizations that have experienced a security breach know that during a breach it is not the moment to discover that the incident response plan needs to be updated. As a result, the costs associated with responding to, and recovering from, cybersecurity incidents are going up. Most of these costs are because of slow detection and response as well as deficiencies in planning. As Scalar’s Chief Technology Officer Theo Van Wyk wrote on a blog, “incident response documentation cuts downtime and saves money.”
A final thought. Most Canadian organizations are obliged to comply with numerous government or industry regulations. These are made for a good purpose – to protect our personal identifiable information (PII) and the organizations’ assets. But what happens when this plethora of regulations adds to the complexity of cybersecurity, especially if some measures or prerequisites are contradicting? The confluence of a threat landscape that is constantly evolving, an attack surface that is rapidly evolving and security compliance requirements that are increasingly complex makes cybersecurity an extremely difficult undertaking.
The reality is that there is no immunity against intrusion, operational disruptions and data theft. Thus, while prevention remains a key part of any cyber defense strategy, detection and remediation are quickly becoming critical focus areas for many organizations. These changes necessitate a new security approach, one that
integrates each of the security technologies into a whole, enabling transparency and centralized policy controls;
employs automation through an integrated security platform to minimize time-to-detect and time-to-respond, as it should also demonstrate compliance with industry regulations and security standards;
|Date added||April 15, 2019, 3:23 p.m.|