Three quarters of CTO/CISO (76 percent) are more confident in their ability to repel cyber-attacks than they were 12 months ago according Carbon Black’s third UK Threat Report, undertaken by Opinion Matters.
SC asked Rick McElroy, head of security strategy at Carbon Black why this might be, whether there is any evidence to support that confidence or if it was just complacency? While acknowledging that over-confidence in security could come back and bite you, he nonetheless replied: "There are a lot of reasons for the increased confidence. The tools are better and there is more data than ever before. But the one big thing that has impacted the industry is the use of the MITRE ATT&CK framework.
"Now that organisations know about the attacks, they are adopting the latest testing methodology and tactics," which McElroy says has led to a "levelling up" across organisations. "Before they needed reports, to discover how and why an attack happened, but now they have gained confidence in how to self assess." He suggests this growing confidence is indicative of a power shift in favour of defenders, who are taking a more proactive approach to hunting out and neutralising threats than previously.
The report also found that 93 percent of UK businesses plan to increase their security budgets over the next year. SC asked, what has been the main driver, is it regulation such as GDPR - or is there genuine concern and awareness at the board level? McElroy agreed that, yes, regulations and fines have had an impact, but there is also a growth in consumer concern about privacy and security, and as a result businesses are taking cyber-security very seriously. "They are asking CISOs to become members of the board. It’s about (articulating) risk management, not technology, and if you are too technical (in explanations) you disqualify yourself. The board want to be educated about cyber-risk. Their number one concern is Brand protection."
While that may lead concerns, almost one in ten (nine percent) of UK organisations suffered severe monetary damage from a breach, a third suffered some monetary damage, while most (84 percent) suffered some kind of breach. While these costs will include some paying ransoms, McElroy told SC that it is primarily indicatove of how the market now values data, with its loss particularly impacting large health organisations, but the losses also including the money spent on cleanup, and in some cases investigations that can go on for more than a year - some with systems down in the interim.
Another interesting finding is that 90 percent of UK businesses reported threat hunting had improved their defences. First Carbon Black confirmed this was not just their customers but something seen across the market. So why has threat hunting become the norm at UK businesses - what does it tend to entail, and why the change? McElroy explained: "Threat hunting has moved from being an art to a science and become more prescriptive. Previously if someone spent three hours threat hunting the company might ask, "What are they doing?" but it has become better on how to measure network activity. It’s not necessarily about advanced threats, catching an APT, but finding a lot of actions for improvement."
Increased proactivity has put a further focus on the lack of skills, but McElroy says strategies adopted to overcome this include identifying people with the right mindset, who may not necessarily have taken the right educational path for the sector. "There has been huge democratisation of education with resources on-line," he notes, adding: "You don’t need to be a 20 year InfoSec professional, you can be a WinSys Amin, or a lot of other people." Then the problem is also retention of staff, which McElroy suggests relies on being a good place to work, with good leadership to drive that.
Asked about his main takeaway, McElroy commented: "I am happy to see cyber-security professionals becoming more confident overall. We talk a lot about our failures and often can’t talk about our successes. Its all talking about the train-crash, but even spam filters stop a lot of attacks, things have clearly changed. And proactivity will continue to achieve better security, whether it’s called threat-hunting or something else - which should make the cyber-security sector a more welcoming place."
Key findings from UK business respondents:
84 percent suffered a data breach during the past 12 months
84 percent saw an increase in overall attack volume in the past 12 months
90 percent say cyber-attacks have grown more sophisticated
88 percent have IT security concerns around digital transformation projects and 5G network rollout
76 percent are more confident in their ability to repel cyber-attacks than they were 12 months ago
90 percent say threat hunting has improved their defences
93 percent plan to increase their security budgets over the next year
Also see video discussion on the report.