One of the biggest problems in the field of cybersecurity is that there is more than one battle going on; It’s not just the hackers that are the issue.
All organizations now want agility. They want innovation. They want to work from home, fix servers from thousands of miles away or ditch servers entirely, release updates to critical applications on a daily basis — and they want to do all of it as quickly and inexpensively as possible.
Security-by-design is a worthy objective, but for many organizations, that term (at best) can amount to placing further strain on an already overstretched team — an expectation that security teams can be instantly expert in new and unfamiliar technologies without providing them with the training time and investment required.
To understand the problem, we need to understand how most infosec professionals would respond to these three questions:
- How would you summarize the last 12 months in cybersecurity?
- Have things gotten worse or did they get better?
- What are the primary tactics of hackers these days?
The nearest I get to being able to sit in front of thousands of you and ask those types of questions is leafing through surveys (when time permits). Fortunately, I was recently sent a sneak preview of ISACA’s State of Cybersecurity 2021 – Part 2. This is one of the broadest, global annual surveys of security practitioners: a chance to effectively crowdsource thoughts and helpful insights from fellow professionals.
One item immediately apparent is that the general competence and capability level in the field of cybersecurity appears to be improving. Maybe that is because it has to. Cyber-criminals will now pursue anything of value that is not digitally nailed down. At a time when businesses want to innovate and update technologies faster than ever, finding those loose, vulnerable digital assets and opportunities is problematic.
It used to be that hackers latched on to one or two primary trends (or attack types) in any given year — but when the State of Cybersecurity survey asked what kind of cyber-attacks were most frequent, the responses reflected a broad spread. In top position with just 14% came social engineering, but items such as ransomware, denial-of-service, misconfiguration and unpatched systems were all reasonably close behind — each one with very similar scores.
APTs (advanced persistent threats) used to be the tactics of a small cohort of advanced hackers, but now that small cohort has become a tsunami of opportunists, pushing APTs into the second-most frequent type of cyber-attack (10% of respondents). Based on the survey respondents, APTs are now a more frequent problem that an incident team may need to address than ransomware or denial-of-service.
Ten years ago, it was possible for anyone to switch into a security role and rapidly learn the overall fundamentals. Now there is so much diversity in the technology and threat types that even the most seasoned/overcooked experts have to pick and choose what they need to learn about. Despite the continuously evolving threat levels and the ever-expanding array of technologies and digital locations, the survey does reveal quite a lot of good news: 77% of the respondents have high confidence in their cybersecurity teams’ ability to detect and respond to threats.
Organizations investing in maturing their cybersecurity are recording less of an increase in cyber-attacks. Only 35% of the respondents were seeing an increase in attacks compared to industry reports of (for example) of a 485% increase in ransomware in this recent Infosecurity article.
… and with some irony — as I write this article, even the infosec-magazine website is finding itself the target of a denial-of-service attack (and addressing it by enhancing the DoS protection service). This very much exemplifies the problem being experienced across the industry: it is no longer a viable strategy to *hope* that you can just have something exploitable overlooked by cyber-criminals. There are too many criminal hackers — and the over-population situation is causing them to occupy every vulnerable nook and cranny that can be found.
What is Your Biggest Cyber-Attack Concern?
Just behind reputation (78%) and financial damage (69%), in third place with 49%, respondents highlighted their concerns about the impact of supply chain issues.
For me, this survey result stood out more than any other. Security teams have traditionally been forced by budgetary or jurisdictional constraints to minimize what they can do when it comes to the security of their suppliers. Now, security teams are finding that they have to identify all the critical dependencies they have on anything third party — not just remote suppliers — but cloud services (no matter how large) and in-house applications that receive remote updates. Even the smallest of “smart” items nestled in an environment can no longer afford to be overlooked.
A security team may not be able to fix a security problem at a supplier, but there is an increasing trend to at least be ready with a contingency plan. For example, what would you do if the major cloud supplier that processes 99% of your data has an extended outage?
Attacks that seemed unthinkable a few years ago are now hitting the headlines every few months. Critical infrastructure, tech giants, social media platforms — all of them have proven that they have the potential to be taken down just as hard and fast as any other organization.
The upside is that security teams have (in most cases) risen to the challenge. The increase in attacks is resulting in security teams with more competence and capability than ever before.
So, how would I summarize the state of cybersecurity in 2021? “You could be taken out at any time by a broad and diverse range of adverse cyber events — but at least your security team will most likely know how and why it happened …”
If you want to keep your organization operating reliably in 2022, invest heavily in cybersecurity, invest in continuous education, invest in expanding defenses and expect the attacks to become even more robust.
The number of hackers, criminals and attacks are consistently moving in the wrong direction. Organizations with weak security are more likely than ever to fall by the wayside. The organizations with the strongest cybersecurity will continue to benefit.
Maybe you don’t believe me — but think on this: perhaps the reason the ISACA survey shows that organizations have more faith than ever in their ability to effectively respond to and resolve any cyber-attack is not because every team got better at it, but because the organizations that were not are disappearing fast.