Organizations are rapidly increasing the size, scope and scale of their data protection infrastructure, reflected in dramatic rises in adoption of public key infrastructure (PKI) across enterprises worldwide, according to Entrust research.
PKI is at the core of nearly every IT infrastructure, enabling security for critical digital initiatives such as cloud, mobile device deployment, identities and the IoT.
The annual study is based on feedback from more than 1,900 IT security professionals in 17 countries.
IoT, authentication and cloud, top drivers in PKI usage growth
As organizations become more dependent on digital information and face increasingly sophisticated cyberattacks, they rely on PKI to control access to data and ascertain the identities of people, systems and devices on a mass scale.
IoT is the fastest growing trend driving PKI application deployment, up 26 percent over the past five years to 47 percent in 2020, with cloud-based services the second highest driver cited by 44 percent of respondents.
PKI usage surging for cloud and authentication use cases
TLS/SSL certificates for public-facing websites and services are the most often cited use case for PKI credentials (84 percent of respondents).
Public cloud-based applications saw the fastest year-over-year growth, cited by 82 percent, up 27 percent from 2019, followed by enterprise user authentication by 70 percent of respondents, an increase of 19 percent over 2019. All underscore the critical need of PKI in supporting core enterprise applications.
The average number of certificates an organization needs to manage grew 43 percent in the 2020 study over the previous year, from 39,197 to 56,192 certificates, highlighting a pivotal requirement for enterprise certificate management.
The rise is likely driven by the industry transition to shorter certificate validity periods, and the sharp growth in cloud and enterprise user authentication use cases.
Challenges, change and uncertainty
The study found that IT security professionals are confronting new challenges to enabling applications to use PKI. 52 percent cited lack of visibility of an existing PKI’s security capabilities as their top challenge, an increase of 16 percent over the 2019 study.
This issue underscores the lack of cybersecurity expertise available within even the most well-resourced organizations, and the need for PKI specialists who can create custom enterprise roadmaps based on security and operational best practices.
Respondents also cited inability to change legacy applications and the inability of their existing PKIs to support new applications as critical challenges – both at 51 percent.
When it comes to deploying and managing a PKI, IT security professionals are most challenged by organizational issues such as no clear ownership, insufficient skills and insufficient resources.
PKI deployment figures from the study clearly indicate a trend toward more diversified approaches, with as-a-service offerings even becoming more prevalent than on-premise offerings in some countries.
The two greatest areas of PKI change and uncertainty come from new applications such as IoT (52 percent of respondents) and external mandates and standards (49 percent). The regulatory environment is also increasingly driving deployment of applications that use PKI, cited by 24 percent of respondents.
Security practices have not kept pace with growth
In the next two years, an estimated average of 41 percent of IoT devices will rely primarily on digital certificates for identification and authentication. Encryption for IoT devices, platforms and data repositories, while growing, is at just 33 percent – a potential exposure point for sensitive data.
Respondents cited several threats to IoT security, including altering the function of IoT devices through malware or other attacks (68 percent) and remote control of a device by an unauthorized user (54 percent).
However, respondents rated controls relevant to malware protection – like securely delivering patches and updates to IoT devices – last on a list of the five most important IoT security capabilities.
The US National Institute of Standards and Technology (NIST) recommends that cryptographic modules for certificate authorities (CAs), key recovery servers and OCSP responders should be validated to FIPS 140-2 level 3 or higher.
Thirty-nine percent of respondents in this study use hardware security modules (HSMs) to secure their PKIs, most often to manage the private keys for their root, issuing, or policy CAs. Yet only 12 percent of respondents indicate the use of HSMs in their OSCP installations, demonstrating a significant gap between best practices and observed practices.
“PKI underpins the security of both the business and the consumer world, from digitally signing transactions and applications to prove the source as well as integrity, to supporting the authentication of smart phones, games consoles, citizen passports, mass transit ticketing and mobile banking, says Larry Ponemon, founder of the Ponemon Institute.
“The 2020 Global PKI and IoT Trends Study shows a surge in the use of PKI credentials for cloud-based applications and enterprise user authentication, underscoring the criticality of PKI in supporting core enterprise applications.”
“We are seeing increasing reliance on PKI juxtaposed with struggles by internal teams to adapt it to new market needs — driving changes to traditional PKI deployment models and methods,” says John Grimm, vice president strategy for digital solutions at Entrust.
“In newer areas like IoT, enterprises are clearly failing to prioritize security mechanisms like firmware signing that would counter the most urgent threats, such as malware.
“And with the massive increase in certificates issued and acquired found in this year’s study, the importance of automated certificate management, a flexible PKI deployment approach, and strong best practice-based security including HSMs has never been greater.”
75% of AppSec practitioners and 49% of developers believe there is a cultural divide between their respective teams, according to ZeroNorth.
As digital transformation takes hold, it is increasingly vital that AppSec teams and developers work well together. With DevOps methodology seeing more adoption, teams are delivering software at continually higher velocities. Speed is the culture of DevOps, which often runs counter to the culture of Security – risk adverse and rigid.
The research, conducted by Ponemon Institute, surveyed 581 security practitioners and 549 developers on the cultural divide, its implications, the impact of COVID-19 and teleworking on the divide, and how to bridge the divide.
The findings of the research highlight both the software delivery and security impacts resulting from the cultural divide across AppSec and developer teams. For example, 56% of developers say AppSec stifles innovation.
On the other hand, 65% of AppSec professional believe developers do not care about securing applications early in the software development lifecycle.
Teams not sharing opininon on application risk
Importantly, too, for AppSec and developers to share a culture centered on delivering secure applications, there must be a shared understanding of risk. The teams are not aligned on this front, however. Only 35% of Developers say application risk is increasing; 60% of AppSec professionals believe this to be true.
“As this survey shows, the cultural divide is here today, and will become more exacerbated as organizations move towards DevOps, rendering the traditional, centralized model for security obsolete,” said ZeroNorth CEO, John Worrall.
“We believe this opens the doors for CISOs to become a pillar that supports the bridge between AppSec and development cultures. By enabling a culture that empowers both development and security to execute on their priorities, CISOs can transform the cultures that stifle innovation while significantly improving security.”
“This important research reveals the serious impact the AppSec and Developer cultural divide can have on an organization’s security posture,” said Larry Ponemon, chairman, Ponemon Institute.
“Based on the research findings, we recommend organizations take the following five steps to help bridge the cultural divide: (1) ensure sufficient resources are allocated to ensure applications are secured in the development and production phase of the SDLC, (2) apply application security practices consistently across the enterprise, (3) ensure developers have the knowledge and skill to address critical vulnerabilities in the application development and production life cycle, (4) conduct testing throughout the application development and (5) ensure testing methods scale efficiently from a few to many applications.”
Understanding the cultural divide and its implications
- Developer and AppSec practitioners don’t agree on which function is responsible for the security of applications. 39% of developers say the security team is responsible, while 67% of AppSec practitioners say their teams are responsible.
- AppSec and developer respondents admit working together is challenging, with AppSec respondents saying it is because the developers publish code with known vulnerabilities. Developers say security does not understand the pressure of meeting their deadlines and security stifles their ability to innovate.
- Digital transformation is putting pressure on organizations to develop applications at increasing speeds, which puts security at risk. 65% of developer respondents say they feel the pressure to develop applications faster than before the digital transformation, and 50% of AppSec respondents agree.
- 71% of AppSec respondents say the state of security is undermined by developers who don’t care about the need to secure applications early in the SDLC and 69% say developers do not have visibility into the overall state of application security.
The impact of COVID-19 and teleworking on the cultural divide
- 66% of developers and 72% of AppSec respondents say teleworking is stressful. Only 29% of developers and 38% of AppSec respondents are very confident that teleworkers are complying with organizational security and privacy requirements.
- 74% of AppSec and 47% of developer respondents say their organizations were highly effective at stopping security compromises before COVID-19. After the pandemic started, only one-third of both respondents say their effectiveness is high.
Data breaches cost companies $3.86 million per breach on average, and compromised employee accounts are the most expensive root cause.
Based on in-depth analysis of data breaches experienced by over 500 organizations worldwide, 80% of these incidents resulted in the exposure of customers’ personally identifiable information (PII). Out of all types of data exposed in these breaches, customer PII was also the costliest to businesses.
As companies are increasingly accessing sensitive data via new remote work and cloud-based business operations, the report sheds light on the financial losses that organizations can suffer if this data is compromised.
Conducted by the Ponemon Institute, the 2020 Cost of a Data Breach Report is based on in-depth interviews with more than 3,200 security professional in organizations that suffered a data breach over the past year. Some of the top findings from this year’s report include:
Smart tech slashes breach costs in half: Companies who had fully deployed security automation technologies (which leverage AI, analytics and automated orchestration to identify and respond to security events) experienced less than half the data breach costs compared to those who didn’t have these tools deployed – $2.45 million vs. $6.03 million on average.
Paying a premium for compromised credentials: In incidents where attackers accessed corporate networks through the use of stolen or compromised credentials, businesses saw nearly $1 million higher data breach costs compared to the global average – reaching $4.77 million per data breach. Exploiting third-party vulnerabilities was the second costliest root cause of malicious breaches ($4.5 million) for this group.
Mega breach costs soar by the millions: Breaches wherein over 50 million records were compromised saw costs jump to $392 million from $388 million the previous year. Breaches where 40 to 50 million records were exposed cost companies $364 million on average, a cost increase of $19 million compared to the 2019 report.
Nation state attacks: Data breaches believed to originate from nation state attacks were the costliest, compared to other threat actors examined in the report. State-sponsored attacks averaged $4.43 million in data breach costs, surpassing both financially motivated cybercriminals and hacktivists.
“When it comes to businesses’ ability to mitigate the impact of a data breach, we’re beginning to see a clear advantage held by companies that have invested in automated technologies,” said Wendi Whitmore, Vice President, IBM X-Force Threat Intelligence. “At a time when businesses are expanding their digital footprint at an accelerated pace and security industry’s talent shortage persists, teams can be overwhelmed securing more devices, systems and data. Security automation can help resolve this burden, not only enabling a faster breach response but a significantly more cost-efficient one as well.”
Employee credentials and misconfigured clouds
Stolen or compromised credentials and cloud misconfigurations were the most common causes of a malicious breach for companies in the report, representing nearly 40% of malicious incidents. With over 8.5 billion records exposed in 2019, and attackers using previously exposed emails and passwords in one out of five breaches studied, businesses should rethink their security strategy via the adoption of a zero-trust approach – reexamining how they authenticate users and the extent of access users are granted.
Similarly, companies’ struggle with security complexity – a top breach cost factor – is likely contributing to cloud misconfigurations becoming a growing security challenge. The 2020 report revealed that attackers used cloud misconfigurations to breach networks nearly 20% of the time, increasing breach costs by more than half a million dollars to $4.41 million on average – making it the third most expensive initial infection vector examined in the report.
State sponsored attacks strike heaviest
Despite representing just 13% of malicious breaches studied, state-sponsored threat actors were the most damaging type of adversary according to the 2020 report, suggesting that financially motivated attacks (53%) don’t translate into higher financial losses for businesses. The highly tactical nature, longevity and stealth maneuvers of state-backed attacks, as well as the high value data targeted, often result in a more extensive compromise of victim environments, increasing breach costs to an average $4.43 million.
In fact, respondents in the Middle East, a region that historically experiences a higher proportion of state-sponsored attacks compared to other parts of the world , saw an over 9% yearly rise in their average data breach cost, incurring the second highest average breach cost ($6.52 million) amongst the 17 regions studied. Similarly, the energy sector, one of the most frequently targeted industries by nation states, experienced a 14% increase in breach costs year over year, averaging $6.39 million.
Advanced security technologies prove smart for business
The report highlights the growing divide in breach costs between businesses implementing advanced security technologies and those lagging behind, revealing a cost-saving difference of $3.58 million for companies with fully deployed security automation versus those that have yet to deploy this type of technology. The cost gap has grown by $2 million, from a difference of $1.55 million in 2018.
Companies in the study with fully deployed security automation also reported significantly shorter response time to breaches, another key factor shown to reduce breach costs in the analysis. The report found that AI, machine learning, analytics and other forms of security automation enabled companies to respond to breaches over 27% faster than companies that have yet to deploy security automation – the latter of which require on average 74 additional days to identify and contain a breach.
Incident response (IR) preparedness also continues to heavily influence the financial aftermath of a breach. According to the report, companies with neither an IR team nor testing of IR plans experience $5.29 million in average breach costs, whereas companies that have both an IR team and use tabletop exercises or simulations to test IR plans experience $2 million less in breach costs – reaffirming that preparedness and readiness yield a significant ROI in cybersecurity.
Additional findings from this year’s report
- Remote work risk will have a cost: With hybrid work models creating less controlled environments, the report found that 70% of companies studied that adopted telework amid the pandemic expect it will exacerbate data breach costs.
- CISOs faulted for breaches, despite limited decision-making power: Forty-six percent of respondents said the CISO/CSO is ultimately held responsible for the breach, despite only 27% stating the CISO/CSO is the security policy and technology decision-maker. The report found that appointing a CISO was associated with $145,000 cost savings versus the average cost of a breach.
- Majority of cyber insured businesses use claims for third party fees: The report found that breaches at studied organizations with cyber insurance cost on average nearly $200,000 less than the global average of $3.86 million. In fact, of these organizations that used their cyber insurance, 51% applied it to cover third-party consulting fees and legal services, while 36% of organizations used it for victim restitution costs. Only 10% used claims to cover the cost of ransomware or extortion.
- Regional and industry insights: While the U.S. continued to experience the highest data breach costs in the world, at $8.64 million on average, the report found that Scandinavia experienced the biggest year over year increase in breach costs, observing a nearly 13% rise. Healthcare continued to incur the highest average breach costs at $7.13 million — an over 10% increase compared to the 2019 study.
As consumers’ concerns about their digital privacy continue to grow and who is responsible for guarding it remains unclear, new research conducted by Ponemon Institute reveals a lack of empowerment consumers feel when it comes to their data privacy.
Address privacy risks
The research points to a privacy gap between the consumer data protection individuals want and what industry and regulators provide. While the majority of consumers want their data protected, they’re still waiting on — or expecting – the federal government or industries to provide this protection.
For instance, 60% of consumers believe government regulation should help address the privacy risks facing consumers today, of which 34% say government regulation is needed to protect personal privacy and 26% believe a hybrid option (regulation and self-regulation) should be pursued.
“This research revealed much of the tension surrounding digital privacy today. Based on my polling experience, these findings make a compelling case for the important role identity protection products and services play in protecting consumers’ privacy. The study shows that many consumers are alarmed by the uptick in privacy scandals and want to protect their information, but don’t know how to and feel like they lack the right tools to do so,” said Dr. Larry Ponemon, chairman of Ponemon Institute.
Interestingly, the study found that 64% of consumers say they think it is “creepy” when they receive online ads that are relevant to them, but not based on their online search behavior or publicly available information. This confirms that many consumers experience this phenomenon and are alarmed by it. In addition, 73% of consumers say advertisers should allow them to “opt-out” of receiving ads on any specific topic at any time.
This research also reveals a lack of empowerment that consumers feel in their ability to protect their privacy. While 74% of consumers say they have no control over the personal information that is collected on them, they are not taking action to limit the data they provide when using online services. In fact, 54% of consumers say they do not consciously limit what personal data they are providing. This lack of empowerment can have devastating effects on consumers’ privacy if it goes unchecked.
Other key findings
Consumer concern is increasing: 68% of consumers are more concerned about the privacy and security of their personal information than they were three years ago. Three-fourths of consumers (75%) in the over 55 age group have become more concerned about their privacy over the past three years.
Search engines least trusted: 92% of consumers believe search engines are sharing and selling their private data, 78% believe social media platforms are and 63% of consumers think shopping sites are as well. Similarly, 86% of respondents say they are very concerned when using Facebook and Google and 66% of respondents say they are very concerned when shopping online or using online services.
Seniors against advertising tracking: 78% of older consumers say advertisers should not be able to serve ads based on their conversations and messaging.
Consumers have little hope in websites’ ad blocking: Only 33% of consumers expect websites to have an ad blocker that stops tracking and only 17% of consumers say they expect websites to limit the collection and sharing of personal information.
Split responsibility: 54% of consumers say online service providers should be accountable for protecting the privacy of consumers, while 45% say they themselves should assume responsibility.
How consumers protect themselves: 65% of consumers are using some type of privacy protection provided by their devices. Of these, 25% are setting a more restrictive data sharing setting, 21% are using both additional authentication controls and a more restrictive data sharing setting and 19% are using additional authentication controls.
Half of consumers are aware of the availability of protections: Of the protections available to consumers to protect their personal information, 52% say opting out of data collection and 48% say data sharing and encryption of personal information are available, respectively.
While organizations have slowly improved in their ability to plan for, detect and respond to cyberattacks over the past five years, their ability to contain an attack has declined by 13% during this same period, IBM reveals.
The global survey conducted by Ponemon Institute found that respondents’ security response efforts were hindered by the use of too many security tools, as well as a lack of specific playbooks for common attack types.
Lack of security response planning
While security response planning is slowly improving, 74% of organizations surveyed are still reporting that their plans are either ad-hoc, applied inconsistently, or that they have no plans at all.
This lack of planning can impact the cost of security incidents, as companies who that have incident response teams and extensively test their incident response plans spend an average of $1.2 million less on data breaches than those who have both of these cost-saving factors in place.
The key findings include:
- Slowly improving: More surveyed organizations have adopted formal, enterprise-wide security response plans over the past 5 years of the study; growing from 18% of respondents in 2015, to 26% in this year’s report (a 44% improvement.)
- Playbooks needed: Even amongst those with a formal security response plan, only one third (representing 17% of total respondents) had developed specific playbooks for common attack types – and plans for emerging attack methods like ransomware lagged even further behind.
- Complexity hinders response: The amount of security tools that an organization was using had a negative impact across multiple categories of the threat lifecycle amongst those surveyed. Organizations using 50+ security tools ranked themselves 8% lower in their ability to detect, and 7% lower in their ability to respond to an attack, than those respondents with less tools.
- Better planning, less disruption: Companies with formal security response efforts applied across the business were less likely to experience significant disruption as the result of a cyberattack; over the past two years, only 39% of these companies experienced a disruptive security incident, compared to 62% of those with less formal/consistent plans.
“While more organizations are taking incident response planning seriously, preparing for cyberattacks isn’t a one and done activity,” said Wendi Whitmore, Vice President of IBM X-Force Threat Intelligence.
“Organizations must also focus on testing, practicing and reassessing their response plans regularly. Leveraging interoperable technologies and automation can also help overcome complexity challenges and speed the time it takes to contain an incident.”
Updating playbooks for emerging threats
The survey found that even amongst organizations with a formal cybersecurity incident response plan (CSIRP), only 33% had playbooks in place for specific types of attacks.
Since different breeds of attack require unique response techniques, having pre-defined playbooks provides organizations with consistent and repeatable action plans for the most common attacks they are likely to face.
Amongst the minority of responding organizations who do have attack-specific playbooks, the most common playbooks are for DDoS attacks (64%) and malware (57%). While these methods have historically been top issues for the enterprise, additional attack methods such as ransomware are on the rise.
While ransomware attacks have spiked nearly 70% in recent years, only 45% of those in the survey using playbooks had designated plans for ransomware attacks.
Additionally, 52% of those with security response plans said they have never reviewed or have no set time period for reviewing/testing those plans. With business operations changing rapidly due to an increasingly remote workforce, and new attack techniques constantly being introduced, this data suggests that surveyed businesses may be relying on outdated response plans which don’t reflect the current threat and business landscape.
More tools led to worse response capabilities
The report also found that complexity is negatively impacting incident response capabilities. Those surveyed estimated their organization was using more than 45 different security tools on average, and that each incident they responded to required coordination across around 19 tools on average.
However, the study also found that an over-abundance of tools may actually hinder organizations ability to handle attacks. In the survey, those using more than 50 tools ranked themselves 8% lower in their ability to detect an attack (5.83/10 vs. 6.66/10), and around 7% lower when it comes to responding to an attack (5.95/10 vs. 6.72/10).
These findings suggest that adopting more tools didn’t necessarily improve security response efforts – in fact, it may have done the opposite. The use of open, interoperable platforms as well as automation technologies can help reduce the complexity of responding across disconnected tools.
Amongst high performing organizations in the report, 63% said the use of interoperable tools helped them improve their response to cyberattacks.
Security response efforts: Better planning pays off
This year’s report suggests that surveyed organizations who invested in formal planning were more successful in responding to incidents. Amongst respondents with a CSIRP applied consistently across the business, only 39% experienced an incident that resulted in a significant disruption to the organization within the past two years – compared to 62% of those who didn’t have a formal plan in place.
Looking at specific reasons that these organizations cited for their ability to respond to attacks, security workforce skills were found to be a top factor. 61% of those surveyed attributed hiring skilled employees as a top reason for becoming more resilient; amongst those who said their resiliency did not improve, 41% cited the lack of skilled employees as the top reason.
Technology was another differentiator that helped organizations become more cyber resilient, especially when it comes to tools that helped them resolve complexity.
Looking at organizations with higher levels of cyber resilience, the top two factors cited for improving their level of cyber resilience were visibility into applications and data (57% selecting) and automation tools (55% selecting).
Overall, the data suggests that surveyed organizations that were more mature in their response preparedness relied more heavily on technology innovations to become more resilient.
While some organizations have increased security operations center (SOC) funding, the overall gains have been meager, and the most significant issues have not only persisted, but worsened, according to Devo Technology.
SOC team overload and burnout
The report, based on a survey conducted by Ponemon Institute, examines many of the same issues as last year, and found 60% of SOC team members are still considering changing careers or leaving their jobs due to burnout. The survey, conducted in March and April 2020, queried IT and IT security practitioners in organizations that have a SOC.
On the positive side, the importance of investing in a SOC remains high, with 72% of respondents categorizing the SOC as “essential” or “very important” to their organization’s overall cybersecurity strategy, up 5% year-over-year.
Additionally, the average annual cybersecurity budget for organizations rose $6 million to $31 million, with the SOC representing more than one-third of that total.
For respondents whose organizations have invested in people, process, and technology, the performance differences are stark. Strong business alignment (73%) and extensive training (67%) help high-performing SOCs more than double the effectiveness of their lower-performing brethren.
SOC team members continue to face barriers
However, the pain and barriers facing SOC teams are universal and worsening, with higher performers citing 10% more pain at an extreme level (9-10 on a 10-point scale), and virtually no difference in the level below that (7-8).
The major areas of pain and resistance include:
- 70% suffer a lack of visibility into the IT infrastructure (up from 65%)
- 64% combat turf or silo issues between IT and the SOC (up from 57%)
- 71% need greater automation (up from 67%), especially as they continue to spend substantial manual cycles on tasks such as alert management (47%), evidence gathering (50%), and malware protection and defense (50%)
- Environmental factors are driving substantially higher pain, including information overload (67%, up from 62%), burnout from increased workloads (75%, up from 73%) and “complexity and chaos” in the SOC (53%, up from 49%)
The perennial issue of a skills shortage
Not surprisingly, the perennial issue of a skills shortage (seen by more than 50% of respondents) is close to the heart of the issue. But digging deeper, it’s quickly apparent that across the board people, process, and technology are misaligned and inefficient:
- Organizations have too many tools (nearly 40%), and more than half don’t have all the data necessary, nor the ability to capture actionable intelligence
- While 76% say training/retention is highly important, more than 50% have no formal programs in place, and more than 50% cite the lack of skilled personnel as a major factor in SOC inefficiency
- Mean time to response (MTTR) remains unacceptably high, with 39% saying their average time to resolve an incident is “months or even years”
“At first blush, the data from the survey made it appear that SOCs are advancing, but it turns out the budget growth and successes hide substantial pain—and to achieve even these modest successes consumes considerable resources,” said Julian Waits, general manager, cybersecurity at Devo.
“While the focus and efforts of high-performing SOCs are driving them to be successful in spite of increasing barriers, that success comes at an unacceptable human cost. Seventy-eight percent of respondents say working in the SOC is very painful.
“Even more troubling, 69% say that experienced analysts would quit the SOC because of stress. It’s clear that significant reforms must be made to achieve greater SOC efficiency and engagement—with less analyst stress—especially in the face of a new economic normal that will likely constrain investments for some time to come.”
Alleviating SOC team pain
For all the friction and pain, high-performing teams are continuing to advance the benefits SOCs provide organizations and should be commended for their efforts. Most importantly, high-performing teams have driven strong business consensus, with 73% of SOC objectives aligned with business objectives, versus low performers for whom 63% have no alignment at all.
Among the lessons that can be learned from the findings, the top three actions cited to demonstrably alleviate SOC analyst pain are greater workflow automation (71%), implementing advanced analytics/machine learning (63%), and access to more out-of-the-box content (55%).
While digital transformation is understood to be critical, its rapid adoption, as seen with cloud providers, IoT and shadow IT, is creating significant cyber risk for most organizations. Today, these vulnerabilities are only exacerbated by misalignment between IT security professionals and the C-suite.
The research by CyberGRX and Ponemon Institute surveyed 900 IT security professionals and C-level executives covering financial, healthcare, industrial, public sector and retail industries.
Digital transformation is increasing cyber risk
Digital transformation is increasing cyber risk, and IT security has very little involvement in directing efforts to ensure a secure digital transformation process. Such misalignment of resources is illustrated by 82% of respondents believing their organizations experienced at least one data breach as a result of digital transformation.
Fifty-five percent of respondents say with certainty that at least one of the breaches affecting their organization was caused by a third party.
Digital transformation has increased reliance on third parties
Digital transformation has significantly increased reliance on third parties, specifically cloud providers, IoT and shadow IT; and many organizations do not have a third-party cyber risk management program.
Sixty-three percent of respondents say their organizations have difficulty in ensuring a secure cloud environment and 54% of IT security professionals say avoiding security exploits is a challenge.
Additionally, 56% of C-level executives say their organizations find it a challenge to ensure third parties have policies and practices that ensure the security of their information.
IT security and C-suite misalignments
Conflicting priorities between IT security and the C-suite create vulnerabilities and risk. These two groups do not agree on the importance of safeguarding risk areas, including high value assets.
IT security respondents are more likely to say the rush to produce and release apps, plus the increased use of shadow IT, are the primary reasons their organizations are more vulnerable following digital transformation.
But in contrast, C-level respondents say increased migration to the cloud and increased outsourcing to third parties makes a security incident more likely. The majority of C-level respondents do not want the security measures used by IT security to prevent the free flow of information and an open business model.
Budgets are, and will continue to be, inadequate to secure the digital transformation process. The majority of organizations do not have adequate budget for protecting data assets and don’t believe they will in the future. In fact, only 35% of respondents say they have such a budget.
Because of the risks created by digital transformation, respondents believe the percentage of IT security allocated to digital transformation today should almost be doubled from an average of 21% to 37%. In two years, the average percentage will be only 37% and respondents say ideally it should be 45%.
“If there’s one major takeaway from our research, it’s that digital transformation is not going anywhere. In fact, organizations should expect—and plan for—digital transformation to become more of an imperative over time,” says Dave Stapleton, CISO, CyberGRX.
“For this reason, organizations must consider the security implications of digital transformation and shift their strategy to build in resources that mitigate risk of cyberattacks.
“Based on these findings, we recommend involving organizations’ IT security teams in the digital transformation process, identifying the essential components for a successful process, educating colleagues on cyber risk and prevention, and creating a strategy that protects what matters most.”
Security personnel and senior management need to unite
The research identifies trends and best practices from organizations that had mature digital transformation programs in place. These findings suggest that across organizations, flexibility and collaboration—particularly between IT teams and C-level executives—will be key to ensure digital transformation that is both efficient and secure.
Going forward, it is imperative that C-level executives comprehend the level of risk they take on when they become vulnerable to reputational damage brought on by security incidents involving third-party relationships.
At the same time, both security personnel and senior management need to unite on a strategy that lowers the organization’s cyber risk profile while keeping key business goals and operations in sync. Finally, significant investments in skilled personnel and the technologies that secure and protect data and assets must be made to reduce third-party risk.
There’s an acute need for IoT risk management improvement, as most organizations do not know what tracking and safeguards their third parties have in place, according to the Shared Assessments Program and the Ponemon Institute.
“While the proliferation and consumerization of embedded technology, including IoT devices, continues to evolve at a rampant pace, new security vulnerabilities and exposures are introduced.
“This is especially true when the use of IoT devices is extended to third parties, fourth parties, or even more concerning, when it’s unknown where the use of IoT devices are being extended, or those extensions are unmanaged,” observes Rocco Grillo, Managing Director, Global Cyber Risk Services, Alvarez & Marsal.
Current IoT risk management programs are not keeping pace with the dramatic increase in IoT-related risks; a shortcoming that represents a clear and expanding threat to most organizations.
- The problem is fueled by the steep expansion in IoT devices, the lack of a centralized IoT risk management program, and the lack of senior-most authority’s involvement.
- Approximately one quarter of respondents self-report as higher performing organizations that are significantly more likely to implement leading risk management practices and apply them to IoT use. However, even these organizations need to enhance many aspects of their risk management capabilities.
“Clearly, the gap between understanding and practice must be closed, and quickly,” notes Charlie Miller, Senior Advisor, The Santa Fe Group, Shared Assessments Program.
“The study underscores a major disconnect between the authority and involvement that survey respondents say is needed from their Boards of Directors, and the actual governance exhibited today. It’s increasingly imperative that organizations get ahead of the problem and address IoT risks before a major disruptive event, not after one.”
As this study makes plain, swift and step function improvements are needed throughout most IoT risk management programs and third-party risk management in general. Areas ripe for action include governance, risk and asset management practices, and resource allocation.
As organizations accelerate digital initiatives such as cloud and the IoT, and data volumes and types continue to rise, IT professionals cite protection of customer personal information as their number one priority, according to nCipher Security and the Ponemon Institute.
Threats, drivers and priorities
For the first time, protecting consumer personal information is the top driver for deploying encryption (54% of respondents), outranking compliance, which ranked fourth (47%).
Traditionally compliance with regulations was the top driver for deploying encryption, but has dropped in priority since 2017, indicating that encryption is transitioning from a requirement to a proactive choice to safeguard critical information.
Employee mistakes continue to be the biggest threat to sensitive data (54%) and significantly outweigh concerns over attacks by hackers (29%), or malicious insiders (20%). In contrast, the least significant threats cited include government eavesdropping (11%) and lawful data requests (12%).
Data discovery the number one challenge
With the proliferation of data from digital initiatives, cloud use, mobility, IoT devices and the advent of 5G networks, data discovery continues to be the biggest challenge in planning and executing a data encryption strategy, with 67% of respondents citing this as their top concern. And that is likely to increase, with a pandemic-driven surge in employees working remotely, using data at home, creating extra copies on personal devices and cloud storage.
Blockchain, quantum and adoption of new encryption technologies
The study indicates that 48% of organizations have adopted encryption strategies across their enterprises, up from 45% in 2019. With encryption deployment steadily growing, how are organizations looking ahead? In the near term, 60% of organizations plan to use blockchain, with cryptocurrency/wallets, asset transactions, identity, supply chain and smart contracts cited at the top use cases.
Other much-hyped technologies are not on IT organizations’ near-term radar. Most IT professionals see the mainstream adoption of multi-party computation at least five years away, with mainstream adoption of homomorphic encryption more than six years away, and quantum resistant algorithms over eight years out.
Trust, integrity, control
The use of hardware security modules (HSMs) continues to grow, with 48% of respondents deploying HSMs to provide a hardened, tamper-resistant environment with higher levels of trust, integrity and control for both data and applications.
Organizations in Germany, the United States and Middle East are more likely to deploy HSMs, with Australia, Germany and the United States most likely to assign importance to HSMs as part of their organization’s encryption or key management activities.
HSM usage is no longer limited to traditional use cases such as public key infrastructure (PKI), databases, application and network encryption (TLS/SSL).
The demand for trusted encryption for new digital initiatives has driven significant HSM growth for big data encryption (up 17%) code signing (up 12%), IoT root of trust (up 10%) and document signing (up 7%). Additionally, 35% of respondents report using HSMs to secure access to public cloud applications.
The race to the cloud
Eighty-three percent of respondents report transferring sensitive data to the cloud, or planning to do so within the next 12 to 24 months, with organizations in the United States, Brazil, Germany, India and South Korea doing so most frequently.
In the next 12 months, respondents predict a significant increase in the ownership and operation of HSMs to generate and manage Bring Your Own Key (BYOK), and integration with a Cloud Access Security Broker (CASB) to manage keys and cryptographic operations. The survey found that the most important cloud encryption features are:
- support for Key Management Interoperability Protocol (KMIP) (67%)
- security information and event management (SIEM) integration (62%)
- granular access controls (60%)
- key usage audit logs (55%), and
- privileged user access controls (50%).
“Consumers expect brands to keep their data safe from breaches and have their best interests at heart. The survey found that IT leaders are taking this seriously, with protection of consumer data cited as the top driver of encryption growth for the first time,” says Dr Larry Ponemon, chairman and founder of Ponemon Institute.
“Encryption use is at an all-time high with 48% of respondents this year saying their organization has an overall encryption plan applied consistently across the entire enterprise, and a further 39% having a limited plan or strategy applied to certain application and data types.”
“As the world goes digital, the impact of the global pandemic highlights how security and identity have become critical for organizations and individuals both at work and at home,” says John Grimm vice president of strategy at nCipher Security.
“Organizations are under relentless pressure to deliver high security and seamless access – protecting their customer data, business critical information and applications while ensuring business continuity.”
Other key trends
- The highest prevalence of organizations with an enterprise encryption strategy is in Germany (66%) followed by the United States (66%), Sweden (62%), Hong Kong (60%), Netherlands (56%) and the United Kingdom (54%).
- Payment-related data (54% of respondents) and financial records (54% of respondents) are most likely to be encrypted.
- The least likely data type to be encrypted is health-related information (25% of respondents), a surprising result given the sensitivity of this information and recent high-profile healthcare data breaches.
- The industries seeing the most significant increase in extensive encryption usage are manufacturing (49%), hospitality (44%) and consumer products (43%).
Continued adoption of IoT, cloud and mobile technologies are increasing the number of digital certificates and keys that ensure secure connections and identity authentication through PKI, a Keyfactor and Ponemon Institute research reveals.
“This research demonstrates that despite heightened compliance focus, businesses struggle to manage foundational security like PKI and the tools and processes that maintain it. This is concerning, especially as the number of digital certificates and keys within enterprise continues to multiply,” said Chris Hickman, CSO at Keyfactor.
Regulatory compliance a strategic priority
Half of respondents indicate regulatory compliance as a strategic priority and two-thirds say their organization is adding additional layers of encryption to comply with regulations and IT policies.
However, undocumented or unenforced key management policies are problematic, with respondents averaging more than four failed audits or compliance experiences in the last 24 months.
“Less than half of respondents say they have sufficient staff dedicated to PKI,” said Hickman.
“A lack of program ownership, combined with the constant care and feeding that digital identities need, has introduced new risk, creating an exposure epidemic. Unless leaders invest in in-house processes and outsourced resources to manage PKI, enterprise will risk failed audits, fines and worse, a security breach.”
Foundational security: Additional findings
- A rise in security incidents: on average, organizations experienced a Certificate Authority (CA) or rogue man-in-the-middle (MITM) and/or phishing attack four times in the last 24 months, facing a 32% likelihood of a MITM or phishing attack over the next 24 months.
- Staffing shortages: on average, 15% of IT security budget is spent on PKI deployment annually, yet just 43% of respondents say their organisation has enough IT security staff members dedicated to PKI deployment.
- Lack of visibility: 70% of respondents say their organisation does not know how many digital certificates and keys it has within the business.
- Cryptography related security incidents undermine trust: 68% of respondents say failure to secure keys and certificates undermines the trust their organisation relies upon to operate.
- Cryptography lacks a center of excellence: despite the rising cost of PKI and growth of cryptography-related incidents, just 40% of companies have the ability to drive enterprise-wide best practice.
- Spending trend: represented organizations are spending an average of £9.37M on IT security annually, with £1.37M dedicated to PKI.
More than half of all healthcare vendors have experienced a data breach that exposed protected health information (PHI), and it’s a costly problem that points to broken third-party risk assessment processes, according to data released by the Ponemon Institute and Censinet.
The report shows that 54 percent of healthcare vendors have experienced at least one data breach of protected health information belonging to patients of the healthcare providers they serve. Of those 54 percent of respondents, 41 percent experienced six or more data breaches over the past two years. The average breach costs $2.75 million and exposes nearly 10,000 records.
Additionally, 54 percent of healthcare vendors believe that a single data breach would result in lost business and revenues from the healthcare providers they sell to, while 28 percent of vendors say that healthcare organizations have chosen another service or solution after they discovered gaps in the vendor’s privacy and security practices. This may be why only 36 percent of vendors would immediately notify providers if they confirmed a data breach that involved their PHI.
“The overall process for managing risk assessments is severely broken in healthcare,” stated Ed Gaudet, CEO and Founder of Censinet. “As an industry we must empower vendors with the right tools and behaviors that give healthcare providers the level of transparency, security and confidence they need to protect their business.”
Many of the vendor respondents believe that healthcare providers do not fully embrace risk assessments to accurately measure and manage third-party risk. For example, nearly half (41 percent) of healthcare vendor respondents said that providers do not require any action to be taken if they discovered gaps in vendors’ privacy and security practices and policies, and 42 percent say that providers do not require proof that the vendor complies with privacy and data protection regulations.
“Healthcare vendors and providers must move from simply checking a box to changing the culture,” continued Gaudet.
“This is an industry-wide problem and as such we need a new, collaborative approach that makes it easy for healthcare vendors and providers to band together and take action, implementing policies, procedures and controls that reduce risk holistically.”
The broken process of healthcare risk assessments
The research points to a fundamental failure of vendors and providers to work collaboratively to accurately measure third-party risk, largely because of the shortcomings of legacy risk management assessment processes.
According to the research, 55 percent of vendors say that risk assessments required by healthcare organizations are costly and time consuming, with vendors spending an average of $2.5 million annually to fill them out. This may be because 43 percent of vendors are still using spreadsheet-based processes for risk assessments.
Despite the effort vendors expend completing risk assessments, it’s hard to determine how accurate they are because 64 percent of vendors believe risk assessment questions are confusing and ambiguous.
Additionally, the rapidly changing threat landscape has made static risk assessments far less effective; 59 percent of respondents say that the risk assessments they fill out become out of date within three months or less, but only 18 percent say that healthcare providers require them to update the assessments more than once per year.
This may be why only 44 percent of vendors believe that risk assessments actually improve their security posture – a number that points to the misallocation of time and resources fueled by the need to check the box, rather than effectively mitigate risk.
“This research highlights many of the shortcomings in the risk assessment process and just how inadequate and ineffective industry certifications and frameworks are today for vendors,” stated Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute.
“According to the research, 55 percent of vendors say that these certifications do not provide enough value for the cost, while 77 percent indicate challenges with the certification process, including respondents who believe it is too time-consuming, too costly and too confusing.”
When asked about ways to improve the risk assessment process, healthcare vendors overwhelmingly turned to automation. According to the research, 61 percent of vendors believe that workflow automation would streamline the risk assessment process and 60 percent think workflow automation would make risk assessments more cost-effective.
If the risk assessment process were automated, vendors believe that the costs incurred would be reduced by up to 50 percent.
While corporations today are more knowledgeable about security threats and prepared to respond to data breaches, there are key areas in which progress declined in 2019, according to a study conducted by the Ponemon Institute.
Prepare beyond your data breach response plan
Sixty-eight percent of respondents say their organization has put more resources toward security technologies to detect and respond quickly to a data breach. 57% of those surveyed also reported that they believe their data breach response plans are “very” or “highly” effective, up from 49 percent in 2018.
More organizations are also taking additional steps to prepare beyond their data breach response plan. These steps include:
- Regularly reviewing physical security and access to confidential information (73%, up 3%)
- Conducting background checks on new full-time employees and vendors (69%, up 4%)
- Integrating data breach response into business continuity plans (56%, up 4%)
- Subscribing to a dark web monitoring service (26%, up 7%)
For the second year surveying respondents about the GDPR, findings revealed some good news. Organizations have improved their ability to comply with GDPR with 54 percent of respondents saying they have a high or very high ability to comply with the regulation (an increase from 36%), while 50 percent of respondents have a high or very high effectiveness in complying with the data breach notification rules (an increase from 23%).
Confidence levels are down
While more time and resources are being put toward preventing and preparing for a data breach, unfortunately, 63 percent of those surveyed reported they had a data breach involving more than 1,000 records, a 4 percent increase from 2018. There was a slight increase (1%) of those who had data breaches more than five times (12%).
Consequently, organizations are struggling in the following areas:
- Since 2017, respondents who say their organization is very confident or confident in their ability to deal with spear phishing attacks has declined from 31 percent to 23 percent. Sixty-nine percent of respondents had one or more spear phishing attacks in 2019.
- Thirty-six percent of respondents say their organization had a ransomware attack last year with only 20 percent feeling confident in their ability to deal with it. The average ransom was $6,128 and 68 percent of respondents say it was paid.
- From a reputation standpoint, only 23 percent of respondents say their organization is confident in its ability to minimize the financial and reputational consequences of a material data breach, while 38% believe they’re effective at doing what needs to be done following a data breach to prevent the loss of customers’ and business partners’ trust and confidence.
- With more breaches being international in scope, only 34 percent of respondents say they are confident in their organization’s ability to respond to global breaches.
- 66% of respondents say their organization hasn’t reviewed or updated the plan since it was put into place or hasn’t set a specific time to review and update the plan.
“It’s a bit surprising to see that organizations have made great strides in certain areas, but not in others, especially when it comes to fighting rudimentary attacks, such as spear phishing or IoT and malware infiltration,” said Michael Bruemmer, vice president of Data Breach Resolution at Experian. “But, overall, with 94 percent of organizations having a data breach response plan in place, and a third deploying data protection program activities across the enterprise with C-level support, security postures have improved immensely. However, organizations shouldn’t let their guard down and should continue to invest in trainings, technology and external response partners.”
IT security practitioners are aware of good habits when it comes to strong authentication and password management, yet often fail to implement them due to poor usability or inconvenience, according to Yubico and Ponemon Institute.
The conclusion is that IT security practitioners and individuals are both engaging in risky password and authentication practices, yet expectation and reality are often misaligned when it comes to the implementation of usable and desirable security solutions.
The tools and processes that organizations put in place are not widely adopted by employees or customers, making it abundantly clear that new technologies are needed for enterprises and individuals to reach a safer future together.
“IT professional or not, people do not want to be burdened with security — it has to be usable, simple, and work instantly,” said Stina Ehrensvärd, CEO and Co-Founder, Yubico.
“For years, achieving a balance between high security and ease of use was near impossible, but new authentication technologies are finally bridging the gap. With the availability of passwordless login and security keys, it’s time for businesses to step up their security options. Organizations can do far better than passwords; in fact, users are demanding it.”
Individuals report better security practices in some instances compared to IT pros
Out of the 35% of individuals who report that they have been victim of an account takeover, 76% changed how they managed their passwords or protected their accounts. Of the 20% of IT security respondents who have been a victim of an account takeover, 65% changed how they managed their passwords or protected their accounts.
Both individuals and IT security respondents have reused passwords on an average of 10 of their personal accounts, but individual users (39%) are less likely to reuse passwords across workplace accounts than IT professionals (50%).
Poor password hygiene
Fifty-one percent of IT security respondents say their organizations have experienced a phishing attack, with another 12% of respondents stating that their organizations experienced credential theft, and 8% say it was a man-in-the-middle attack.
Yet, only 53% of IT security respondents say their organizations have changed how passwords or protected corporate accounts were managed. Interestingly enough, individuals reuse passwords across an average of 16 workplace accounts and IT security respondents say they reuse passwords across an average of 12 workplace accounts.
Mobile use is on the rise
Fifty-five percent of IT security respondents report that the use of personal mobile devices is permitted at work and an average of 45% of employees in the organizations represented are using their mobile device for work.
Alarmingly, 62% of IT security respondents say their organizations don’t take necessary steps to protect information on mobile phones. Fifty-one percent of individuals use their personal mobile device to access work related items, and of these, 56% don’t use two-factor authentication (2FA).
Poor employee access protection
Given the complexities of securing a modern, mobile workforce, organizations struggle to find simple, yet effective ways of protecting employee access to corporate accounts. Roughly half of all respondents (49% of IT security and 51% of individuals) share passwords with colleagues to access business accounts.
Fifty-nine percent of IT security respondents report that their organization relies on human memory to manage passwords, while 42% say sticky notes are used. Only 31% of IT security respondents say that their organization uses a password manager, which are effective tools to securely create, manage, and store passwords.
Concerns about customer information and PII security
IT security respondents say they are most concerned about protecting customer information and personally identifiable information (PII). However, 59% of IT security respondents say customer accounts have been subject to an account takeover. Despite this, 25% of IT security respondents say their organizations have no plans to adopt 2FA for customers.
Of these 25% of IT security respondents, 60% say their organizations believe usernames and passwords provide sufficient security and 47% say their organizations are not going to provide 2FA because it will affect convenience by adding an extra step during login.
When businesses are choosing to protect customer accounts and data, the 2FA options that are used most often do not offer adequate protection for users.
Three main 2FA methods
IT security respondents report that SMS codes (41%), backup codes (40%), or mobile authentication apps (37%) are the three main 2FA methods that they support or plan to support for customers. SMS codes and mobile authenticator apps are typically tied to only one device.
Additionally, 23% of individuals find 2FA methods like SMS and mobile authentication apps to be very inconvenient. A majority of individuals rate security (56%), affordability (57%), and ease of use (35%) as very important.
Individuals only adopting new technologies that are easy to use
It is clear that new technologies are needed for enterprises and individuals to reach a safer future together. Across the board, passwords are cumbersome, mobile use introduces a new set of security challenges, and the security tools that organizations have put in place are not being widely adopted by employees or customers.
In fact, 49% of individuals say that they would like to improve the security of their accounts and have already added extra layers of protection beyond a username and password.
However, 56% of individuals will only adopt new technologies that are easy to use and significantly improve account security. Here’s what is preferred: biometrics, security keys, and password-free login.
Passwordless methods are preferred
A majority of IT security respondents and individuals (55%) would prefer a method of protecting accounts that doesn’t involve passwords. Both IT security (65%) and individual users (53%) believe the use of biometrics would increase the security of their organization or accounts.
And lastly, 56% of individuals and 52% of IT security professionals believe a hardware token would offer better security.
“Connectivity and the number of digital identities within the enterprise has grown exponentially thanks to continued cloud, mobile, DevOps and IoT adoption,” said Chris Hickman, CSO, Keyfactor.
“The complexity of managing those identities while keeping them securely connected to the business has created a critical trust gap – in many cases the keys and certificates designed to build trust are instead causing outages and security breaches.”
Digital certificates and keys ensure authenticity across enterprise user, application and device identities. Cryptographic algorithms encrypt the data associated with those identities, providing secure communication and exploit protection.
Two-thirds of respondents say their organization is adding additional layers of encryption to comply with industry regulations and IT policies; however, shorter certificate validity has doubled the management workload on short-staffed IT and security teams.
Additional key findings
- Connected IoT increasing risk: 60% say they’re adding additional layers of encryption technologies to secure IoT devices, but 46% admit low ability to maintain IoT device identities and cryptography over device lifetime.
- A rise in security incidents: on average, organizations have experienced a Certificate Authority (CA) or rogue man-in-the-middle (MITM) and/or phishing attack five times in the last 24 months, with a 40% likelihood of a MITM or phishing attack over the next 24 months; 73% of respondents admitted that digital certificates have and continue to cause unplanned downtime and outages.
- Staffing shortages: on average, 16% of the IT security budget is spent on PKI deployment annually, yet just 38% of respondents say their organization has enough IT security staff members dedicated to PKI deployment.
- Cryptography related security incidents undermine trust: 76% of respondents say failure to secure keys and certificates undermines the trust their organization relies upon to operate.
- Cryptography lacks a center of excellence: Despite the rising cost of PKI and growth of cryptography-related incidents, just 60% of companies have the ability to drive enterprise-wide best practices.
“This report reinforces cryptography’s importance within the security agenda,” said Hickman.
“In many cases, PKI remains a manual function with ownership split across IT and security teams. Growing connectivity has created an exposure epidemic. Without a clear PKI in-house or outsourced program owner and process to close critical trust gaps, the risk of outages and breaches will continue to rise.”
Security pros anticipate automation will reduce IT security headcount, but not replace human expertise
The majority of companies (77 percent) continue to use or plan to use automation in the next three years, according to a Ponemon Institute and DomainTools survey.
The biggest takeaway in this year’s study is that 51 percent of respondents now believe that automation will decrease headcount in the IT security function, an increase from 30 percent in last year’s study. Further, concerns by employees losing their jobs because of automation have increased to 37 percent over last year’s 28 percent.
Meanwhile, cybersecurity skills shortage continues to be a problem. Sixty-nine percent of organizations’ IT security functions are understaffed; a slight improvement over last year’s 75 percent.
Mixed opinions about automation
The adoption of automation tools for cybersecurity this past year has had mixed reviews. Overall, 74 percent agree that automation enables IT security staff to focus on more serious vulnerabilities and overall network security. Interestingly, automation highlights a renewed focus on the importance of the human role in security. Of respondents:
- Only 40 percent believe automation reduces human error
- Half believe automation will make jobs more complex
- Fifty-four percent think automation will never replace human intuition and hands-on experience
- Seventy-four percent (a rise from last year’s 68 percent) say that automation is not capable of certain tasks done by IT security staff.
The number one roadblock of companies that considered automation and do not plan to automate is a lack of in-house expertise (53 percent), followed by a heavy reliance on legacy IT environments.
“The perspective around the effects of automated technologies for IT security continues to shift year after year,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.
“As adoption of automation becomes more mainstream and improves the effectiveness and efficiency of IT security staff, they are anticipating that they will be able to accomplish more with fewer bodies.
“What is likely is for there to be a consolidation of existing roles, rather than an elimination. This means better opportunities for employees to up-level their current skills to create more value-added roles as the human side of security remains as important as ever.”
The benefits of automation
The report revealed that regulatory compliance standards such as GDPR and others are a growing global influence in an organization’s use of automation, with 72 percent citing that over last year’s 66 percent.
This is reflected in the need for familiarity with security regulations and standards in both entry-level and highly experienced job candidates in the US – topping the list of knowledge requirements for the first time at 81 percent.
Automation is not a quick, fix-all solution, though it is proving to deliver tangible benefits and results. A majority (60 percent) of employees state that automation is reducing stress in their lives and 43 percent say it increases productivity.
Enhancing the capabilities of security staff
Automation delivers productivity benefits such as reducing false positives and/or false negatives (43 percent), increasing the speed of analyzing threats (42 percent), and prioritizing threats and vulnerabilities (39 percent).
“Automation is already improving the productivity of security personnel across industries. We are still in the early stages of adoption and just touching the surface of how automation will enhance the capabilities of security staff and evolve security roles,” said Corin Imai, Senior Security Advisor, DomainTools.
“However, the human factor remains the most important player in information security. Automation will never fully replace human intuition and expertise, and those that become experts in deploying and managing automation solutions will have a new valuable skill set for many years to come.”
Additional trends revealed in the report include:
- Almost half of respondents (48 percent) are sharing threat intelligence to collaborate with industry peers.
- Forty-seven percent of organizations do not invest in training or onboarding of security personnel.
- Fifty-three percent of respondents have seen an increase in attackers’ use of automation.
- Only 41 percent of CEOs and/or board of directors are briefed on the use of automation.
Organizations are not making progress in reducing their endpoint security risk, especially against new and unknown threats, a Ponemon Institute study reveals.
68% IT security professionals say their company experienced one or more endpoint attacks that compromised data assets or IT infrastructure in 2019, an increase from 54% of respondents in 2017.
Zero-day attacks continue to increase in frequency
Of those incidents that were successful, 80% were new or unknown, zero-day attacks. These attacks either involved the exploitation of undisclosed vulnerabilities or the use of new malware variants that signature-based, detection solutions do not recognize. Zero-day attacks continue to increase in frequency and are expected to more than double this year.
These attacks are also inflicting more bottom-line business damage. The study found that the average cost per endpoint breach increased to $9M in 2019, up more than $2M since 2018.
“Corporate endpoint breaches are skyrocketing and the economic impact of each attack is also growing due to sophisticated actors bypassing enterprise antivirus solutions,” said Larry Ponemon, Chairman of Ponemon Institute.
“Over half of cybersecurity professionals say their organizations are ineffective at thwarting major threats today because their endpoint security solutions are not effective at detecting advanced attacks.”
The third annual study surveyed 671 IT security professionals responsible for managing and reducing their organization’s endpoint security risk.
Increasing vulnerability during patch gaps
In addition to expressing concern over zero-day threats, respondents noted increasing vulnerability during patch gaps. In fact, 40% of companies say it’s taking longer to patch, with an average patch gap of 97 days due to the number of patches and their complexity.
Patch exploits will continue to be a hot-button issue in 2020 as the last remaining organizations upgrade to Windows 10 on the heels of Windows 7 end of life, and patch frequency increases.
An extra layer of security added to antivirus solutions
The shift to Windows 10 is also ushering in new enterprise security strategies that can be effective in thwarting more advanced threats. With Windows Defender AV built into the Windows 10 operating system, 80% of organizations report using or planning to use Defender AV for savings over their legacy antivirus solution.
Cost savings are being reallocated towards an added layer of advanced threat protection in endpoint stacks and an increase in IT resources. 51% of cybersecurity professionals say they’ve added an extra layer of security to their antivirus solutions.
Furthermore, since 2017 the number of IT departments reporting they have ample resources to minimize endpoint threats has increased from 36% to 44%.
“The move to Windows 10 provides the perfect opportunity for organizations to retool their endpoint security to better defend against the zero-day attacks and advanced threats that are evading legacy antivirus in 2020 and pose the biggest risk to their business,” said Andrew Homer, VP of Security Strategy at Morphisec.
“Forward thinking cybersecurity professionals are shifting to the free antivirus capability built into Windows 10 and reallocating their cost savings into an additional layer of advanced threat protection and increased IT resources.”
The study found that half of the companies who have adopted EDR cite costly customization (55%) and false-positive alerts (60%) as significant challenges.
In addition, of IT departments that haven’t adopted EDR yet, 65% say lack of confidence in the ability to prevent zero-day threats and 61% note security staffing limitations as the top reasons to avoid adoption.
While cybersecurity professionals are certainly aware of the growing threat posed by sharing data with third parties, many seem to lack the urgency required to address this challenge.
If there is one work-related New Year’s resolution I’d like CISOs to make as we enter 2020, it’s to give the challenge of third-party cyber risk the attention it needs. In fact, I no longer see this as optional or as an extension of an enterprise risk and cybersecurity strategy, because third-party data breaches will dominate the threat landscape in 2020.
Data breaches and third-party cyber risk
This is not a new challenge. Headlines over the last few years are filled with major breaches caused by hackers accessing companies’ data through their third-party vendors.
Six years ago, attackers breached Target by using login credentials stolen from a company that provided HVAC services to the retailer. That breach should have been a wakeup call for enterprises and cybersecurity vendors to address the challenge of third-party cyber risk, but years later these types of incidents are becoming even more frequent.
In the last year, for example, an unauthorized user gained access to data on 11 million Quest Diagnostics patients through the company’s partner debt-collection agency. Another bad actor accessed data on millions of Capital One credit card applicants through a misconfigured Amazon cloud container.
Estimates indicate that around 60 percent of data breaches are linked to third parties, and we can expect that percentage to increase as more companies embrace digital platforms and new operating models that require sharing of data with partners and service providers.
Enterprise boundaries will continue to blur in 2020 with more organizations investing in cloud computing, using file sharing platforms such as DropBox, Google Drive or OneDrive, and connecting more devices on the edge of their networks.
If CISOs continue to focus cybersecurity tools and resources within the company perimeter, they are fighting the wrong battle in an increasingly multi-front cybersecurity war.
Elevating third-party cyber risk to a C-suite and board imperative
One of the most important things CISOs can do to put the appropriate focus on third-party cyber risk is to make it a corporate reputation issue requiring support and oversight from C-suite and board executives.
Along with the opportunities for greater innovation, productivity, operational efficiency and customer engagement, digital transformation has created new vulnerabilities across the enterprise – and beyond its borders – that could impact corporate reputation if exploited.
With the average enterprise engaging with several hundred partners and other third parties, it’s not a question of “if” the data will be exposed, but of “when” and how much corporate reputation will suffer as a result of loss of trust.
CISOs must get better at educating business leaders about these unintended consequences of digital transformation. The reality, however, is that 63 percent of CISOs don’t regularly report to their boards, according to a recent Ponemon Institute study. Worse, a stunning 40 percent of CISOs said they never report to their boards at all. This lack of connection and accountability at the C-suite and board level is a major problem.
What CISOs should do
CISOs in 2020 must become stronger advocates for shifting from reactive to proactive cybersecurity postures. They must advocate for creating more resilient and cyber-aware cultures where cybersecurity is seen as everyone’s responsibility.
CISOs should also start to align their investments in cybersecurity with the new reality that threats are more likely to materialize through third parties.
That means not only assessing third parties for potential vulnerabilities, but using new approaches and tools coming to market that can identify actual data that a third-party inadvertently exposed, and that can enable immediate remediation.
Are you optimistic?
I am optimistic about the cybersecurity industry’s ability to rise to this challenge, provide those tools and help CISOs shift and elevate their organization’s cyber posture when it comes to third-party and other emerging risks. It’s why I left the FBI to join the industry after 20 years working in the bureau’s cyber, counterintelligence and counterterrorism branches.
I’ve seen firsthand how damaging third-party data leaks can be for businesses and other institutions, and I’ve seen the struggles CISOs undertake to just keep up.
With the right resolve and the right support from the cybersecurity industry, CISOs can take charge of this challenge in 2020, commit to shifting their focus toward third-party cyber risk, and engage C-suite and board executives about the strategic importance of doing so.
PCs still running when Windows 7 reaches end of life on the 14th of January will be significantly more at risk of ransomware, Veritas Technologies has warned. According to experts, 26% of PCs are expected to still be running the Microsoft software after support for patches and bug fixes end.
The vulnerability to ransomware of PCs running unsupported software was demonstrated by WannaCry. Despite supported PCs being pushed patches for the cryptoworm, Europol estimated that 200,000 devices in 150 countries, running older, unsupported, software became infected by WannaCry. Although just $130,000 was paid in ransoms, the impact to business is understood to have run into the billions of dollars due to lost productivity and lost data.
Microsoft ended mainstream support of Windows 7 in 2015, giving users five years to ready themselves for the software to reach end of life.
Businesses running Windows 7 should prepare themselves in order to avoid the impact that vulnerability to ransomware could have on their organizations. Here are five tips that could help navigate this challenge:
Educate employees – The biggest risk is to data that employees save to unprotected locations. Ensure that users are following best practices for where to save data so that it can be secured and consider running a simulation. Saving valued data to centralized servers, data centers or to the cloud can help reduce risk.
Evaluate risk by understanding your data – For enterprises, insight software solutions can help to identify where key data lives and ensure that it complies with company policies and industry regulations. This is critical not only to identify the challenges but also to prioritize the recovery process.
Consider a software upgrade – This isn’t going to be practical for large enterprises in the time available, but it could well be part of a longer-term strategy. For SMEs, the most sensible solution might be simply to upgrade to an operating system that has ongoing support.
Run patches whilst you can – According to the Ponemon Institute, 60% of respondents who experienced data breaches did so despite a patch to prevent breaches being available to them. Businesses should at least make sure that they are as up-to-date as they can be whilst they can. Users will also be able to buy “ESUs” from Microsoft to access patches during their migration to newer software.
Ensure that data is backed up – Ransomware relies on the idea that paying a ransom is going to be the only/cheapest way to regain access to your data, yet research shows that less than half of those that pay up are actually able to recover their data from cyber criminals. Veritas advocates the “3-2-1 rule”, where data owners have three copies of their data, two of which are on different storage media and one is air gapped in an offsite location. With an air-gapped data backup solution, businesses have the much safer, and more reliable option, of simply restoring their data.
“WannaCry was a clear example of the dangers that businesses can face when they are using software that has reached end of life. In January 2020, a quarter of all PCs are going to fall into this category so it’s vital that the organizations that rely on Windows 7 are aware of the risks and what they need to mitigate them,” said Ian Wood, Senior Director, EMEA Cloud & Governance Business Practice, Veritas.
“This type of ransomware attack tends to have a disproportionate effect on organizations that can afford ransoms least – for example, we saw high-profile attacks on public sector bodies in 2017. So, it’s critical for those running Windows 7 to act now and put plans in place to ensure that they are able to protect themselves. Organizations need to understand their data and make sure that information is being stored in the right place where it can be protected and made available when needed,” Wood concluded.