Sixty-one percent of organisations polled in a new survey responded that they'd been hit by a ransomware demand. But, perhaps more troubling was the finding that of those, a third paid the ransom demand.
This was but one of the findings in CyberEdge Group's "2017 Cyberthreat Defense Report," [PDF, registration required] the research and marketing firm's fourth-annual look at the top cyber-threats facing organisations – and what IT security personnel are doing to defend against them.
Cyber-attacks have reached an all-time high, the 37-page study determined, with the percentage of organisations affected by successful cyber-attacks rising for the third-consecutive year – from 62 percent in 2014, to 70 percent in 2015, to 76 percent in 2016 and now to 79 percent in 2017.
After querying more than a thousand IT security personnel from 15 countries across a variety of industries, the study determined that not only are network breaches increasing, but employees lacking sufficient security training pose the greatest security risk to organisations, and malware retains its place as a constant threat.
Further, one in five respondents said they were dissatisfied with the protections provided by Microsoft for securing Office 365 environments.
However, the report seeks to go beyond merely looking at the number of attacks, but to determine what the tactics and technologies organisations are using to fend them off. For example, the CyberEdge report said that establishing effective cyber-security defences requires more than simply implementing next-generation technologies designed to detect the latest wave of elusive cyber-threats. "In fact, given that most breaches today result from threat actors' exploiting known vulnerabilities or configuration weaknesses, a more sensible strategy may be to reduce one's attack surface first, and then use an overlapping set of detection-focused countermeasures to mitigate the residual risk."
A lack of trained IT security personnel was also made clear in the study, with nine out of 10 respondents claiming that their organisation is at a disadvantage owing to a global shortage of skilled IT security personnel. In fact, just over half of respondents said they were leveraging external vendors and contractors to fill the void.
“If the definition of insanity is doing the same thing repeatedly and expecting a different result, then perhaps, as an industry, we're going insane,” Steve Piper, CEO of CyberEdge Group, said in a statement. "Each year, we invest more in security, yet frequency and severity of data breaches rise. But why?"
His explanation starts with low security awareness among employees as the greatest inhibitor. The solution, he said, is to invest more in training.
The other big issue Piper sees is the fact that most data breaches stem from exploiting old vulnerabilities. "OK, then get patching," he advises. "Investing in best-of-breed security defences is always prudent, but to stop the bleeding, we've got to invest more in our human firewalls and reducing our network attack surfaces.”
On seeing the report, Mike Rothman, president of Securosis, commented that the finding are consistent with what he is seeing in the industry. “There are more attacks, more sophisticated malware, and more complexity ahead relative to skyrocketing cloud usage, all making it more challenging to execute on a security program," he said. "This difficulty is compounded by the global security skills shortage and the ongoing inability for most employees to not click on links that compromise their devices."
However, on the positive side, Rothman said, budgets continue to increase and security initiatives are very high profile, consistently getting board room visibility.
"So all in all, it's the best of times and the worst of times for security folks,” Rothman said.