TrapX Security and Enterprise Strategy Group (ESG) have released findings of a research that surveyed 150 cyber and IT professionals directly involved in security strategy, control and operations within manufacturing organizations about their current and future concerns.
Manufacturing industry under threat
The research findings point to an industry whose security teams are seeing the IT and OT environments converging at a rapid pace. Yet manufacturing organizations are struggling to safeguard OT assets as they are using the same tools to safeguard their IT infrastructure as they are for OT.
As a result, IT teams can’t keep up with growing volumes of security data or the increasing number of security alerts. They lack the right level of visibility and threat intelligence analysis and don’t have the right staff and skills to handle the cybersecurity workload.
Consequently, business operations are being disrupted and cyber-risk is increasing as more than half of the manufacturing organizations surveyed have experienced some type of cybersecurity incident on their OT systems in the last 12 months taking weeks or months to remediate.
IT and OT convergence best practice for manufacturers
Manufacturing organizations have large and growing investments in IT and OT technology to combat a rising threat landscape and achieve more agile business processes. As the research reveals, IT and OT integration is fast becoming a best practice.
49% of organizations say that IT and OT infrastructure are tightly integrated while another 45% claim that there is some integration. This integration will only increase as 77% of respondents expect further IT and OT infrastructure convergence in the future.
However, only 41% percent of organizations employ an IT security team with dedicated OT specialists, while 32% rely on their IT security team alone to protect OT assets. 58% use network technology tactics like IP ranges, VLANs, or microsegmentation to segment IT and OT network traffic.
24% of organizations simply use one common network for IT and OT communications, reducing the visibility and response required for OT-focused attacks.
Common tools and staff may make operational sense, but deploying a plethora of IT security technologies to prepare for the specific threats of OT leaves IT teams unprepared and vulnerable to attack.
As illustrated through this research, IT teams are repeatedly overwhelmed by the growing volumes of security data, visibility gaps, and a lack of staff and skills.
IT teams overwhelmed by volumes of security data
Security teams are getting challenged by the growing volumes of security data, and the increasing number of security alerts. 53% believe that their security operations workload exceeds staff capacity.
37% admitted they must improve their ability to adjust security controls. 58% of surveyed organizations agreed that threat detection and response has grown more difficult.
When asked to provide additional detail on the specific nature of that growing complexity, 45% say they are collecting and processing more security telemetry and 43% say that the volume of security alerts has increased.
Manufacturers are still working in the dark though with 44% citing evolving and changing threats as making threat detection and response more difficult, particularly true as threat actors take advantage of the “fog” of COVID-19.
“The research illustrates a potentially dangerous imbalance between existing security controls and staff capabilities, and a need for more specialized and effective safeguards,” said Jon Oltsik, ESG Senior Principal Analyst and Fellow.
“Manufacturing organizations are consolidating their IT and OT environments to achieve economies of scale and enable new types of business processes. Unfortunately, this advancement carries the growing risk of disruptive cyber-attacks.
“While organizations have deployed numerous technologies for threat detection and response, the data indicates that they are overwhelmed by growing volumes of security data, visibility gaps, and a lack of staff and skills.
“Since they can’t address these challenges with more tools or staff, CISOs really need to seek out more creative approaches for threat detection and response.”
Manufacturing lacks the visibility needed for effective threat detection
As the IT/OT attack surface grows, security teams are spread thinner as they try to keep pace with operations tasks such as threat detection, investigation, incident response, and risk mitigation.
53% agreed that their organization’s OT infrastructure is vulnerable to some type of cyber-attack, while the same number stated that they had already suffered some type of cyber-attack or other security incident in the last 12-24 months that impacted their OT infrastructure.
When asked how long it typically takes for their firm to recover from a cyber-attack, 47% of respondents said between one week and one month, resulting in significant and potentially costly downtime for critical systems.
Manufacturing organizations lack the visibility needed for effective threat detection and response – especially regarding OT assets. Consequently, additional security complexity is unacceptable – any new investments they make must help them simplify security processes and get more out of existing tools and staff.
37% said they must improve their ability to see malicious OT activity, 36% say they must improve their ability to understand OT-focused threat intelligence and 35% believe they must improve their ability to effectively patch vulnerable OT assets.
44% of respondents highlighted deception technology’s invaluable role in helping with threat research (44%), and 56% said that deception technology can be used for threat detection purposes.
55% of the manufacturing organizations surveyed use deception technology today, yet 44% have not made the connection between deception technology and increased attack visibility.
“This research shows that manufacturing organizations are experiencing real challenges when it comes to threat detection and response, particularly for specialized OT assets that are critical for business operations,” said Ori Bach, CEO of TrapX Security.
“This data, and our own experience working with innovators in all sectors of manufacturing, demonstrate there is a clear need for solutions like deception, which can improve cyber defenses and reduce downtime without the need to install agents or disrupt existing security systems and operations.”
The COVID-19 pandemic has presented a once-in-a-lifetime opportunity for hackers and online scammers, and cybersecurity pros saw a 63 percent increase in cyber-attacks related to the pandemic, according to a survey by ISSA and ESG.
Organizations were fairly prepared for the global pandemic
Thirty-nine percent of respondents claim that they were very prepared to secure WFH devices and applications while 34 percent were prepared. Twenty-seven percent were underprepared.
COVID-19 and WFH are driving improved collaboration
Slightly more than one-third of organizations have experienced significant improvement in coordination between business, IT, and security executives as a result of COVID-19 issues and 38 percent have seen marginal relationship improvements.
COVID-19/WFH have had an impact on cybersecurity professionals and their organizations alike
The research indicates that COVID-19 has forced cybersecurity professionals to change their priorities/activities, increased their workloads, increased the number of meetings they have had to attend, and increased the stress levels associated with their jobs. Meanwhile 48 percent say that WFH has impacted the security team’s ability to support new business applications/initiatives.
Most organizations don’t believe the pandemic will increase 2020 cybersecurity spending
Only 20 percent believe that COVID-19 security requirements will lead to an increase in security spending in 2020, while 25 percent think their organizations will be forced to decrease security spending this year. Where they expect their spending to increase, at least half pointed to priority areas being identity and access management, endpoint security, web and email security, and data security.
COVID-19 may not impact cybersecurity priorities
Seventy percent report that they don’t know or don’t believe that this crisis will lead to cybersecurity becoming a higher priority. Only 30 percent say that cybersecurity will be a higher priority.
Finally, is COVID-19 causing cybersecurity professionals to be concerned about their jobs or career choice? Overall, the answer seems to be “no” to both questions, however, the data seems to indicate that there is more uncertainty in the short-term about current cybersecurity jobs.
“COVID-19 had a wide-ranging impact on individuals on the security staff. With 84 percent of cybersecurity professionals working exclusively from home during the pandemic and almost two-thirds believing that their organizations will be more flexible with work-at-home policies moving forward, COVID-19 has personally impacted cybersecurity professionals in their jobs and in their lives. This is in addition to the ongoing impact on organizations and security teams from the yearly worsening problem of the cybersecurity skills shortage,” Jon Oltsik, Senior Principal Analyst and ESG Fellow.
“While it’s promising to see that the majority of organizations were able to handle the COVID-19 pandemic fairly well, it is surprising that we are not seeing an increase in cybersecurity spending or prioritization following this event. If anything this should serve as a wakeup call that cybersecurity is what enables businesses to remain open and operational. Organizations prioritizing cybersecurity as a result of the pandemic will likely emerge as leaders in the next wave of cybersecurity process innovation and best practices,” said Candy Alexander, Board President, ISSA International.
The cybersecurity skills crisis continues to worsen for the fourth year in a row and has impacted 70 percent of organizations, as revealed in a global study of cybersecurity professionals by ISSA and ESG.
Cybersecurity profession crisis
The top ramifications of the skills shortage for organizations (or cybersecurity teams) include an increasing workload, unfilled open job requisitions, and an inability to learn or use cybersecurity technologies to their full potential, putting organizations at significant risk.
The cybersecurity skills gap discussion has been going on for nearly 10 years. The study confirms that there has been no significant progress towards a solution to this problem during the four years it has been closely researched. In fact, 45 percent of respondents state the cybersecurity skills shortage and its associated impacts have only gotten worse over the past few years. The question that must be answered is then: Why has nothing changed for the better?
Researchers believe that the root cause has never been addressed. What’s needed is a holistic approach of continuous cybersecurity education, where each stakeholder needs to play a role versus operating in silos. The data uncovered in this research year over year point to these indicators.
Cybersecurity pros need a globally accepted career development plan
Without guidance and a clear path to follow, it is difficult for new candidates to know what is needed and how to acquire the skills necessary to enter the profession. Current professionals are far too often left figuring out how to advance their careers on their own.
Cybersecurity professionals continue to need career guidance. Sixty-eight percent of the cybersecurity professionals surveyed don’t have a well-defined career path and historical solutions are only compounding problems.
Cybersecurity careers depend upon hands-on experience and hands-on experience requires a job. When asked which was most important for their career development: hands-on experience or security certifications, 52 percent chose hands-on experience. Still, 44 percent claim that hands-on experience and certifications are equally important. This combination requires the right job, the right experience, and the right career plan but few cybersecurity professionals can claim this combination.
It takes years to become a proficient cybersecurity professional. Thirty-nine percent believe it takes anywhere from 3 to 5 years to develop real cybersecurity proficiency, while 22 percent say 2 to 3 years and 18 percent claim it takes more than 5 years. This means that entry level cybersecurity pros should be viewed as long-term investments, not immediate problem solvers.
Businesses are not investing in their people or supporting cybersecurity integration within the organization
Sixty-four percent of respondents believe their organization should be doing somewhat or a lot more to address cybersecurity challenges. ESG and ISSA believe that business executives see this as a technical problem rather than a business issue.
Organizations are not providing the right level of cybersecurity training. Thirty-six percent of respondents reported that they thought that their organizations should provide a bit more cybersecurity training, while 29 percent believe their organizations should provide significantly more training. Further, 28 percent believe they are not providing enough training for non-technical employees. Based on 4 years of research, training seems to be a perpetual shortcoming. Alarmingly, there seems to be on plan for improvement.
CISOs and business executives could do more together. Fifty-five percent believe there is adequate CISO participation with executives and corporate boards in 2020, trending upward slightly. Still, 24% think that CISOs and business executives could do more together.
Other critical constituencies were also rated on their ability to keep up with cybersecurity challenges and the data indicates that industry and community at large need to step up: For example, 68 percent of respondents believe that cybersecurity technology and service vendors should be doing somewhat or a lot more and 71 percent of respondents believe the cybersecurity community at large should be doing somewhat or a lot more.
“The cybersecurity gap cannot be addressed by simply filling the pipeline with new people. What’s needed is a holistic approach, starting with public education, comprehensive career development and planning, and career mapping – all with the support and integration with the business,” said Candy Alexander, Board President, ISSA International.
“As this and past reports clearly indicate, key constituents are not looking at the profession strategically. While we are making some fragmented progress, the same issues present themselves year after year, including a shortage of skills, under-trained employees, and the stress and strain caused by a career in the cybersecurity field. These disturbing trends should be of concern to corporate directors and business executives, particularly in light of the alarming findings this year that 67% of respondents believe that cyber-adversaries have a big advantage over cyber-defenders,” said Jon Oltsik, Senior Principal Analyst and ESG Fellow.
Application performance, impacted by network complexity at the edge and in the cloud, is the key enterprise concern this year for organizations implementing SD-WAN, according to Aryaka.
The study surveyed over one thousand global IT and network practitioners at companies across all verticals, headquartered in NA, APAC and EMEA. The survey asked respondents about their networking and performance challenges, priorities and their plans for 2020 and beyond.
“Modern applications are being distributed across on premises data centers, multiple public clouds (IaaS & SaaS) and edge locations. This is creating more complexity and greater dependency on the network to ensure optimal application performance as confirmed by the Aryaka report,” said Bob Laliberte, Sr. Analyst and Practice Director at ESG.
“Organizations need WAN solutions that deliver performance, flexibility and simplicity to overcome that complexity. This is driving interest in managed SD-WAN offerings that combine application optimization and secure connectivity, to any location, from any location, including access and support for remote workers.”
Enterprise complexity at the edge and within the cloud are creating a challenging environment for IT organizations. IT managers identify complexity and slow performance of both on-prem and cloud-based applications as their biggest concerns.
Complexity (37 percent) replaces cost as the number one concern, followed by slow on-prem performance (32 percent) and slow access to cloud and SaaS apps (32 percent). Security (31 percent) and long deployment times (30 percent) are also in the top four.
With so many applications in use, many of which are cloud-based, IT is consumed by managing application performance and access to the cloud. And it’s only getting more complex, highlighting the need for a managed service for many organizations.
The biggest IT time consuming issues identified by respondents were remote and mobile (47 percent), application performance at the branch (43 percent) and accessing the cloud, which doubled from 20 percent in 2019 to 42 percent in 2020.
Challenges surrounding UCaaS
The survey showed that while network managers have high expectations as performance, UCaaS is still challenging to deploy globally, and, once again, complexity is the culprit.
Respondents identified set-up and management as the number one challenge for voice and video (48 percent in 2020; 27 percent in 2019), highlighting the need for managed solutions that hide the complexity. Lag/delay was a close second (43 percent in 2020; 30 percent in 2019), which illustrates network performance issues. This was followed by dropped calls (39 percent).
It’s all about the apps and where they’re connecting from
Most of the enterprises surveyed are leveraging over 10 SaaS applications (51 percent in 2020 versus 23 percent in 2019), which speaks to the criticality of cloud performance. In terms of where these SaaS apps are hosted, it’s a multi-cloud world, with AWS, Azure, Google, IBM, Oracle, and Alibaba Cloud all well represented.
What’s more, enterprises are continuing to increase the number of applications deployed. A growing number of companies are deploying 100+ applications: 59 percent in 2020 compared to 43 percent in 2019. Please refer to the report for more detailed, per-vertical data and year-on-year comparisons.
What’s being done to reduce complexity
To address increased complexity and the time spent managing the WAN, enterprises regardless of size are undergoing major initiatives that include automation, the cloud and newer areas of interest such as IoT, AI/ML and blockchain.
For broad IT initiatives, automation grew substantially to 41 percent of respondents in 2020 from only 31 percent in 2019, as did IoT (29 percent in 2020 from 18 percent in 2019), AI/ML (27 percent in 2020 from 12 percent in 2019), and blockchain (21 percent in 2020 from only five percent in 2019).
On the cloud front, regardless of company size, upgrades and management are important as well as a keen interest in 5G. This last initiative reflects the interest in 5G as a future primary connectivity option for SD-WAN.
Respondents identified cloud upgrades (37 percent) and management (38 percent) as top networking initiatives. A whopping 42 percent of respondents also named 5G as a top initiative for this year.
Barriers and expectations for today’s SD-WANs
Buyers are at various stages of their SD-WAN evaluation, but most are still gathering information or evaluating vendors. Forty-four percent of respondents are gathering information, 23 percent are evaluating SD-WAN vendors, 11 percent are building a business case, 13 percent are in the middle of deploying, six percent have deployed and assumed to be happy while only two percent are deployed, but not happy.
When evaluating SD-WAN, the top three potential barriers include application performance, knowledge gaps and complexity. Overall, cost seems less a consideration this year versus performance and complexity, with SD-WAN ROI better understood and valued than in previous years.
Beyond the barriers mentioned above, SD-WAN planners have certain expectations they’d like met. Respondents said, the cloud and WAN optimization are still key requirements to a successful SD-WAN solution, but NFV, support for remote workers and the desire for a managed service have grown substantially. Add in security, and all of these features illustrate the many moving parts critical to a successful SD-WAN deployment.
Their top SD-WAN features wish lists included expected responses such as security, cloud and WAN optimization, but also network functions virtualization (NFV), which more than doubled from 2019 (35 percent in 2020 from 13 percent in 2019) and support for remote employees, which also grew by over 50 percent (33 percent in 2020 from 21 percent in 2019). Organizations are increasingly expecting the mobile workforce to be included as part of the total SD-WAN solution.
The desire for a fully managed SD-WAN also increased to 37 percent in 2020 from 28 percent in 2019. This aligns with a growing acceptance for managed offerings, likely in response to the increasing complexities and challenges detailed earlier, with 87 percent of respondents saying they would consider a managed SD-WAN as compared to 59 percent in 2019.
“We are living in a complex multi-cloud and multi-SaaS application world. As global enterprises continue to innovate by embracing new technologies and migrating to the cloud, they also face new challenges, and the network is increasingly a strategic asset” said Shashi Kiran, CMO of Aryaka.
“Whether it’s an increasing number of global sites through expansion, poor performing cloud-based applications, increasing costs or the time it takes to manage multiple vendors, many organizations are at an inflection point: transform the WAN now or risk falling behind and losing out to competitors.”
Encryption provides the best defense against any fines that might be levied for violations or data breaches under CCPA, according to ESG and Fortanix.
What can you do?
The report also revealed that CCPA applies data breach sanctions only if companies fail to protect personal data with encryption or redaction. If personal information is protected with appropriate data security measures, it cannot be used by unauthorized parties, so consumers are left unharmed.
Encrypted data that is stolen remains unintelligible, protecting the identity and personal information of its owner and mitigating risk for the business.
“Encryption is a security strategy that will protect sensitive data such as the personal information covered by CCPA,” wrote Christophe Bertrand, ESG senior analyst.
“It protects an organization from scenarios like a devastating breach where hackers gain access to systems containing personal data. It is important to implement encryption throughout the data lifecycle, including while data is at rest in a storage layer, while it is in transit over networks, and while it is in use by applications in the memory of the operating system.”
“Also, consider that personal customer data should be encrypted whether it exists in public cloud storage, in software-as-a-service (SaaS) applications such as CRM, or throughout your supply chain, in addition to your internal data center systems,” Bertrand continued in the report.
“Organizations need to implement advanced data classification, data anonymization, data masking, encryption, security, and access controls in order to set themselves up for successful compliance. ESG believes that many organizations are only ready on the surface – with marketing opt-in/out processes, for example.”
Protecting customer data privacy a strategic imperative for businesses
The CCPA is landmark consumer privacy legislation. Often compared to GDPR, CCPA protects consumers from mismanagement of their personal data and gives them control over what data is collected, processed, shared, or sold by companies doing business in California. This act is the strongest privacy legislation enacted in any state, giving more power to consumers with regards to their private data.
With many experts predicting that other states will pass similar legislation in the coming years, companies across the US that take proactive steps today to better protect consumer data will be best equipped for future regulations.
“With the increase in regulatory penalties and devastating data breaches we have seen, protecting the privacy of customer data is a strategic imperative for business,” said Ambuj Kumar, CEO of Fortanix.
“The most reliable and efficient method of both protecting customer data and avoiding regulatory penalties is to encrypt all customer data throughout its lifecycle while at rest, in motion, and while in use by applications.”
Despite having hundreds of tools at their disposal, IT and security teams are rapidly losing sight of their asset landscape.
That’s the finding from a survey from Axonius, which reveals how trends including the ever-increasing number of end-user devices, rapid cloud adoption, and the looming IoT explosion are leading to increased complexity and risk and decreased visibility.
Lack of visibility
The study first reveals that today’s IT infrastructure barely resembles what it was just five years ago, and a confluence of megatrends are all rising to impact IT and security teams.
“When we speak with customers from the midmarket up to the Fortune 100, we hear the same challenges: teams are faced with too many assets, a patchwork of security tools, and maddeningly manual processes to understand what is there and whether those assets are secure,” said Dean Sysman, CEO at Axonius.
The survey of 200 IT and cybersecurity professionals from private and public-sector organizations in North America found that the move to the public cloud, an increase in the number of end-user devices, and IoT projects all contribute to a lack of visibility.
Specifically, the study found that 52% of VMs now reside in the cloud, running in multiple cloud environments, making it increasingly more challenging for organizations to manage them effectively. At the same time, container usage is mainstream among cloud users, with continued predicted growth that will add further complexity.
While bring-your-own-device (BYOD) trends began more than 15 years ago, organizations are still grappling with evolving BYOD policies, especially with a typical employee now using more than four devices each week. As a result, organizations believe they are blind to about 40% of end-user-devices.
Pressure on IT and security teams to deal with major security gaps
At the same time, IoT continues to play an increasing role in the workplace, with more than half of organizations reporting active IoT projects. Yet, 77% report an IoT visibility gap.
This decrease in visibility correlates directly to an increase in risk. The survey found that 75% of organizations have experienced several serious cloud VM security incidents as a result of cloud visibility gaps, and 73% admit to experiencing multiple serious incidents as a result of an end user device visibility gap. In fact, organizations with visibility gaps experience 2.3x more security incidents than those without.
“Together, these changes are putting enormous pressure on IT and security teams, who are already struggling to find new management and security tools that can keep up,” said Dave Gruber, Senior Analyst, ESG.
“VMs, new devices, and new device types are driving complexity. Most say that they already have too many tools, yet still report visibility gaps in what they can see versus what they want to see across cloud, mobile, and IoT environments. This gap directly translates into added security risk. 85% of organizations plan to increase investment in asset management to help overcome these issues.”
To regain the visibility needed to combat these challenges, security and IT teams are returning to a focus on the fundamentals like investing in gaining a credible inventory and automating asset management.
Comprehensive IT asset inventories take over two weeks of effort, requiring 89 person-hours of labor. On average, they happen 19 times per year, demanding the involvement of multiple teams and people, so it shouldn’t come as a surprise that the survey found 85% of organizations plan to increase investment in asset management to help overcome these issues – especially in light of the fact that roughly 90% expect the time freed up from asset-related tasks would have a material improvement on threat hunting and incident investigation.