Americas

  • United States

Asia

Oceania

sbradley
Contributing Writer

Security teams report rise in cyber risk

Feature
Aug 18, 20215 mins
Risk Management

A recent report shows declining confidence in many organizations’ security function to address today’s threats. Here’s why and how security teams can reverse the trend.

cso information security policy risk management writing policy by metamorworks getty 2400x1600
Credit: Metamorworks / Getty Images

Do you feel like you are gaining in your ability to protect your data and your network? If you are like 80% of respondents to the Trend Micro’s biannual Cyber Risk Index (CRI) report, you expect to experience a data breach that compromises customer data in the next 12 months.

The report surveyed more than 3,600 businesses of all sizes and industries across North America, Europe, Asia-Pacific, and Latin America for their thoughts on cyber risk. Despite an increased focus on security due to high-profile ransomware and other attacks in the past year, respondents reported a rise in risk due to inadequate security processes like backing up key assets.

Why security risk is rising

Organizations are overwhelmed as they pivot from traditional to distributed networks. Pandemic-driven work-from-home growth is potentially how businesses will be run going forward. That distributed network means that it’s harder for IT staff to know what assets are under their control and what security controls should be in place. With the line blurring between corporate and personal assets, organizations are overwhelmed with the pace of change.

Cloud deployments can bring their own complications as they are often misconfigured or leave credentials behind for attackers to find in such locations as GitHub. The cloud also has brought more platforms for attackers to go after. While Windows used to be the major target, now attackers are pivoting to attacking Linux and IoT devices.

Where security risk is rising

The Trend Micro CRI report identified the following areas of having elevated risk worldwide, meaning they scored below 5 on a scale of -10 to 10, where 10 is the lowest level of risk.

  • Ability of enabling security technologies to protect data assets and IT infrastructure: 4.05
  • IT security leader (CISO) has sufficient authority and resources to achieve a strong security posture: 4.09
  • The organization is involved in threat sharing with other companies and government: 4.37
  • IT security function supports security in the DevOps environment: 4.40
  • IT security function has the ability to know the physical location of business-critical data assets and applications: 4.45

North American respondents had a different list with lower ratings:

  • IT security function is able to prevent most cyberattacks: 2.55
  • IT security function is able to contain most cyberattacks: 2.80
  • The organization is involved in threat sharing with other companies and government: 3.16
  • Ability of enabling security technologies to protect data assets and IT infrastructure: 3.21
  • IT security function is able to detect zero-day attacks: 3.32

The reports’ top threat risks include man-in-the-middle attacks, ransomware attacks, phishing and social engineering, fileless attacks and botnets. Again, firms are concerned that their firms can prevent or detect most cyberattacks, let alone zero-day attacks.

Data types most at risk worldwide, according to the report, are business communication (email), financial information, analytics (data models), consumer data, and company confidential information. The top security risks in infrastructure are organizational misalignment and complexity, cloud computing infrastructure and providers, negligent insiders, shortage of qualified personnel, and malicious insiders.

Mitigating security risk

Firms need to spend more time and resources protecting key data repositories. Too often they are easy to target and identify as they have patterns that can be scanned for. Credit card numbers have a distinctive pattern when they are stored in databases, thus you must ensure that they are properly encrypted in transit, in storage, and at rest.

Keeping up with patching processes is important but difficult for most businesses. The concern is just as much about defending against targeted zero days as well as day-to-day patching processes.

Often firms are unaware of what is attacking them and must defend not knowing what their true risks are, but they lack the ability to share information about threats. Companies should consider joining an Information Sharing and Analysis Center (ISAC) dedicated to their industry. It’s a great way to get early warning of threats and advice for mitigating them.

The typical network generates vast and complex log data. If you don’t plan log archives ahead of time, you will lose information you need to properly perform investigations and understand how the attackers got into your network and what they accessed while they were in the network.

Pay attention to cloud and IoT risks. Too often cloud services are not set up with appropriate permission settings to facilitate ease of deployment. Review the flows for application permissions in cloud services to ensure they are set to where the administrator of the firm must approve new applications deployed in the network. Place appropriate focus on both security technological solutions as well as hiring appropriate staff to assist in sound security technologies.

Most important, the Trend Micro CRI survey showcases the need to focus on risk management and prioritizing the threats. Once you have that assessment (and presumably buy-in from company leadership), it will be easier to align security mandates across the network and take on other initiatives such as minimizing complexity in your network.

sbradley
Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for Askwoody.com, is a moderator on the PatchManagement.org listserve, and writes a column of Windows security tips for CSOonline.com. In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at https://www.askwoody.com/tag/patch-lady-posts/ and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author