Cyber crisis response failing to adapt to modern threats

Today, a stark disconnect exists between the inadequacy of crisis exercising and the desire to build an effective cyber crisis response function, according to an Osterman Research study.

cyber crisis response

The report into senior security leaders at 402 organizations with an average of 1900 employees in the US and UK found nearly 40% are not fully confident in their teams training to handle a data breach if one happened that week.

A spike in ransomware attacks

Looking at the evolution of ransomware alone, the number of ransomware detections in business environments rose by 365% between Q2 2018 and Q2 2019, and global organizations have seen a 148% spike in ransomware attacks amid COVID-19.

Meanwhile, more than a third of organizations surveyed say they space their tabletop exercises a year – sometimes two – apart, with 65% consisting of reviewing PowerPoint slides. In fact, slide-based sessions are nearly 20 times more common than practicing simulations and 64% ran three or fewer scenarios during their last exercise.

“If you did your ransomware training in January, you’re likely five ransomware techniques behind the curve now,” said James Hadley, CEO of Immersive Labs.

“With three quarters of organizations agreeing that business continuity was at the forefront of their minds, it is time to close the gap between attackers and defenders and shake up the outdated status quo. This requires faster, shorter crisis drills run with the people you will be standing shoulder to shoulder with when the worst happens. Crisis exercises must be made more contemporary.”

There is a need for more –and modernized – cyber training across organizations, not just on the security team.

Over reliance on plans contributes to low IR confidence

Despite organizations’ low confidence in their IR preparedness, 61% of respondents think having an IR plan is the single most effective way to prepare for a security incident. In fact, twice the amount of respondents thought an IR plan was more effective than regular table-top crisis exercising.

When they do perform crisis exercises, nearly 40% of all senior security leaders surveyed said the last exercise generated no action from the business.

Senior cybersecurity leadership skipping crisis exercises

Only a fraction of people who will be involved in a real crisis are present in training. A quarter of organizations surveyed ran crisis exercises without senior cybersecurity leadership in attendance, and only 20% of exercises involved communications team members, although the survey showed impact on brand is more important in security leaders’ minds when running crisis exercises at 47%, than share price (24%) or liquidity (27%).

Nearly half of security leaders said their organizations do not have a cross disciplinary cyber crisis group, of those who do, only 17% met monthly.

The pandemic exacerbates challenges with the human factor

20% of respondents said they find it impossible to effectively involve people in crisis response remotely from other geographies. Add to that, the human element of the cyber equation is being overlooked by crisis response exercises with only 15% saying they are focused on stress testing human cyber readiness.

cyber crisis response

Technology investments aren’t enough

Technology investments can’t save an organization alone, it’s time to focus on people. Nearly 60% of respondents think the best way to prepare for a crisis incident is to buy more technology, and more are interested in covering themselves legally (38%) than running effective tabletop exercises and fire drills to train their teams (32%).

“Dusting off the three-ring binder crisis plan does not cut it today,” added Hadley. “In the first 30 minutes of a crisis, it is highly unlikely you’re thinking of your plan. It’s the real-life, crisis simulation training that prepares organizations to effectively respond to security incidents.

“Micro-drills, or very focused exercises, designed to address particular risks must make their way into the mix. Much like exercising to stay fit, this needs to happen with regularity in dynamic environments, and involve all the right people, in order to keep current and be effective.”

Phishing is a huge concern among security decision-makers and influencers

A serious disconnect exists between how decision makers (i.e., CISOs, CIOs and CEOs), and security practitioners (i.e., IT managers and directors, security architects and security operations analysts) perceive phishing prevention, according to a research by Ironscales.

phishing prevention

The research is based on a detailed, cross-industry survey of 252 security professionals from the United States and the United Kingdom.

Among its key findings, the survey revealed that decision makers are four times more likely than security practitioners to consider email security the highest priority, suggesting that security personnel believe that they have a sufficient handle on phishing prevention while the C-Suite sees substantial business risk.

“The disconnect between security practitioners and decision makers is extraordinarily problematic for phishing prevention and incident response,” said Eyal Benishti, CEO at Ironscales.

“The cause for such a predicament – whether or not security professionals on the front lines don’t fully understand the long-term business impacts of a successful phishing attack or if the C-Suite is simply over-concerned – is irrelevant. What matters is that moving forward these two important constituencies get on the same page so that the proper time and attention can be allocated towards minimizing phishing risk.”

The survey revealed that there is a critical need for real-time threat intelligence to more thoroughly address the risk of phishing; that the security skills shortage is having a material impact on security teams’ ability to deal with phishing properly, and that most organizations are using several tools to combat phishing, with secure email gateways remaining the most common.

Key research findings

  • 24% of a 40-hour work week is spent by security analysts investigating, detecting or remediating phishing emails.
  • Only One in five organizations continuously updates and tweaks its corporate email security policies in a typical month.
  • Nearly three in five organizations train their users on proper email security protocols no more than twice per year, while only a third of organizations do so much more frequently (at least monthly or continuously).
  • More than 70% of organizations use only manual processes for reviewing user-reported phishing emails, making it far too labor and time-intensive to mitigate email threats at scale.

phishing prevention

Problems with phishing prevention

The survey also found that phishing emails continue to take organizations a substantial amount of time to detect, investigate and remediate. In total:

  • 70% of organizations take more than 5 minutes to remove a phishing attack from a corporate mailbox even though the average time-to-click is 82 seconds.
  • 75% of organizations cannot act on phishing intelligence automatically in real-time.
  • 90% of organizations cannot orchestrate phishing intelligence from multiple sources in real time in the context of their overall email security solution(s).

“The survey’s findings reinforce the significant challenges that email phishing attacks incur on organizations of all sizes,” said Michael Osterman, principal analyst at Osterman Research.

“Most immediately, decision makers and cybersecurity practitioners must work to overcome the disconnect that exists so that time, budget and resources can be properly allocated to reduce email phishing risk.”

Employees aware of privacy risks, but unsure of how they affect the workplace

62 percent of employees are unsure if their organization has to comply with the recently-enacted CCPA, which gives California residents enhanced consumer data privacy rights, according to a survey of more than 1,000 employees conducted by Osterman Research.

aware of privacy risks

Results reveal a similar lack of awareness regarding the GDPR, in effect since 2018.

Employee cybersecurity and privacy engagement

The findings reveal progress in cybersecurity awareness. However, many respondents continue to hold false impressions about malware, phishing, and cloud file-sharing, putting their personal and employers’ data at risk.

“The benefits and rewards of digital technology are many, but so are the risks. As states race to address cybersecurity and data privacy risks with new compliance measures, businesses are under more pressure than ever to educate their employees, or prepare to face increasingly negative outcomes,” MediaPRO Chief Strategist Lisa Plaggemier said.

“To adequately protect consumer data, companies must quickly transform employees from bystanders into security advocates, and that begins with awareness programs that engage employees and reinforce behaviors that align with security and compliance goals.”

The survey assessed employee engagement with and understanding of good cybersecurity and privacy practices (or lack thereof) across multiple risk areas. Overall results show more than 50 percent of respondents fall within the “vulnerable” side of the spectrum regarding their reported practices and attitudes.

“The survey revealed a number of key issues that decision makers should address right away,” said Michael Osterman, Principal Analyst of Osterman Research. “Among them is the need for more and better security awareness training, and improving employees’ perception of their role as a key line of defense for both security and privacy compliance.”

Confidence and security awareness remain lacking

Awareness of seemingly basic cybersecurity threats and best practices remains insufficient among many employees, putting them and their organizations at risk. More than a quarter admitted struggling to identify a phishing email, while just 17 percent felt “very confident” they could identify a social engineering attack.

Only 27 percent of employees can identify at least two warning signs that malware has infected their computing platform, and two in five employees are unable to describe to senior management the negative impacts posed by cybersecurity risks.

Misinformation and misconceptions abound

Cybersecurity awareness requires the ability to correctly distinguish cybersecurity fact from fiction, yet many employees have distorted ideas. For instance, one in seven employees believe that – much like the flu passes among people – malware can spread among devices in close physical proximity.

A full 39 percent of employees mistakenly believe that simply leaving their computer unlocked can also result in a malware infection.

Privacy regulations remain challenging

Many employees require a better understanding of the privacy regulations and guidelines impacting their organizations, and the requisite steps to protect data.

A majority of employees (more than 60 percent) don’t know if their organization needs to comply with most privacy rules and data protection guidelines such as the CCPA, PCI DSS, and GDPR.

In fact, nearly three in five employees (58 percent) don’t believe storing sensitive data in an unsecured location or on their desktop / laptop computers or mobile devices (69 percent) could pose a potential policy violation.

Social media and file-sharing security awareness is high

The majority of employees (more than 50 percent) understand that oversharing on social media is a bad idea, as it can give cybercriminals the information and opportunity to craft more targeted attacks.

More than half of employees understand using personal webmail for work purposes poses a risk to their organization, and 90 percent recognize the risk associated with using personally managed file-sharing or similar cloud solutions for work purposes.

Employees possess password savvy

The majority of employees are mindful of password best practices, using a unique password for every device and application (52 percent). When working from home 61 percent of employees agree it’s important to change their router’s default password before accessing corporate data or email.

Urgency of updates is understood

Software updates serve an important role in protecting devices from viruses and malware, and ensuring security holes are quickly patched before cyber thieves can exploit them.

The vast majority of employees (84 percent) understand that regularly installing software upgrades help protect against cybersecurity threats and prevent security breaches.

“Safely navigating the digital world remains confusing for many. Add to that an ever changing roster of seemingly byzantine rules and regulations and the effort can seem almost insurmountable,” said Tom Pendergast, Chief Learning Officer at MediaPRO.

“This survey shows we still have a long way to go toward resolving employee clarity and consistency on cybersecurity and data privacy obligations and best practices; however, we’re encouraged that many of our respondents appear to be on the right track in putting their cybersecurity knowledge into action day-to-day.”

Most businesses have yet to allocate a CCPA compliance budget

Only 15% of organizations report having a mature approach to data privacy, 59% have yet to allocate budget to CCPA compliance, and 58% are currently using or will look to implement machine learning-driven systems to improve manual processes for data security, Egress reveals. Compliance and preparation In succession to the EU’s landmark GDPR legislation, the CCPA is set to revolutionize data privacy and security within the United States, with major penalties and litigation slated for … More

The post Most businesses have yet to allocate a CCPA compliance budget appeared first on Help Net Security.