I recently finished the book This is how they tell me the world ends by Nicole Perlroth, an investigative report on worldwide cybersecurity that reads like a spy novel. In it, Perlroth describes the multi-million-dollar gray market for zero day threats in South America, including genius-level threats emerging with cutting-edge technology.
Reading that such bleeding-edge research was being done in Latin America came as a bit of a surprise to me personally, but I suppose it shouldn’t have. Generally we hear about Silicon Valley and the United States being the technological innovation center, but today the US is actually lagging behind the rest of the world when it comes to cloud security, and our research proves it.
In Latin America, they’re moving quickly and securely. Latin American organizations are focusing on the core security of their cloud environments, using the foundation provided by cloud vendors and their partners to build out infrastructures with cloud security in mind from the beginning.
In contrast, many US companies are obsessed with speed. They are moving quickly, failing to make security a paramount priority. Focused more on speed than cybersecurity, these organizations are falling back. When I read this news in our 2021 Cyber Risk Index (CRI), it was unfortunately not a surprise.
Elevated Risk Around the Globe
Lacking a foundational focus on security beyond Latin America, the 2021 CRI tells a familiar story globally, and one that’s only getting worse — 86% of respondents expect to be breached in the next year, and 24% suffered seven or more cyber attacks over the last 12 months. Both numbers have been steadily climbing for years.
The CRI is designed to help companies better understand their cyber risk so they can prioritize their security strategy and identify areas to improve preparedness. The CRI surveyed more than 3,600 businesses of all sizes and industries across North America, Europe, Asia-Pacific, and Latin America to come up with its annual index score, a benchmark that measures the gap between respondents' cybersecurity preparedness and their likelihood of being attacked.
This year’s index score of -0.42 shows that the cyber world today is a more dangerous place than it was a year ago. That score is also skewed by the -1.27 showing for North America, following an unprecedented year of severe attacks targeting cloud, infrastructure and the software supply chain.
This year’s index score of -0.42 shows that the cyber world today is a more dangerous place than it was a year ago
Top Risks and Challenges Show Some New, Some Old
Once again, the research uncovered plenty to keep CISOs awake at night, from operational and infrastructure risks to data protection, threat activity and human challenges.
The top cyber-risks highlighted in the report include many of the usual suspects: man-in-the-middle attacks, ransomware, fileless attacks, botnets, phishing and social engineering. The top security risks to infrastructure also remain the same as last year and include organizational misalignment and complexity, as well as cloud computing infrastructure and providers. In addition, respondents identified customer turnover, lost intellectual property and disruption or damages to critical infrastructure as key operational risks.
Organizations continue to be challenged with the complexity of their infrastructures, including cloud implementations and IoT. The main challenges for cybersecurity preparedness include limitations for security leaders who lack the authority and resources to achieve a strong security posture, as well as organizations struggling to enable security technologies sufficient to protect data assets and IT.
This year desktop and laptop computers made the list based on the number of successful attacks targeting a more distributed workforce around the world. The DNS environment was also a new entry with concerns rising over the success that some attackers have had targeting this area of the network.
Slow Down and Build Securely from the Start
We cannot change what the attackers will do in the future, but the CRI will continue to help us understand if attackers are being more aggressive. Ultimately, it’s up to every business to build a strong cybersecurity posture that gives them the ability to assess, protect, detect, respond to, and recover from serious threats against data, applications, and IT infrastructure.
As we work toward that goal, it’s time to slow down a bit. Take a moment to build and weave security into your cloud processes and it will yield dividends. To lower cyber-risk, organizations must be better prepared by going back to basics, identifying at-risk data, focusing on the threats that matter most, and delivering multi-layered protection from comprehensive, connected platforms.