The UK government’s Cyber Security Breaches Survey of 2021, published in March 2021, found that four in 10 businesses (39%) reported having cybersecurity breaches or attacks in the last 12 months with medium-sized businesses (65%) the most vulnerable.
Although there have been several high-profile incidents such as the SolarWinds hack and the $50m ransomware extortion attempt against Acer, cybersecurity awareness has not grown. Instead, businesses are finding it harder to administer cybersecurity measures during the pandemic with fewer now deploying security monitoring tools (35% vs. 40%) or undertaking any form of user monitoring (32% vs. 38%).
Preparedness is Lacking
One of the most worrying trends is the reduction in cyber breach preparedness. The survey found that activities such as testing staff through mock phishing exercises, carrying out cybersecurity vulnerability audits and reviewing cybersecurity risks posed by suppliers had dropped by between 20% to 30% compared to the previous year.
Although the report paints a despondent picture about cybersecurity preparedness, there has been growing adoption of automated cybersecurity testing tools – a sector that analyst firm MarketsandMarkets Research predicts will top $900bn by 2025 – with an impressive CAGR of 33.2%.
Under the broad header of Breach and Attack Simulation (BAS), a term popularized by Gartner, these systems automate testing and preparedness capabilities – including the execution of simulated cyber-attacks to determine if security controls detect and respond to threats as they should, and then report on the results.
Manual Testing on the Decline
In recent years, much of BAS was less than automated. In many cases, the systems were largely in support of more hands-on programs led by skilled infosec teams. For example, tabletop exercises akin to fire drills where infosec teams would play out a breach scenario and then test if the response processes were adequate to quickly triage and recover a situation. Or ‘Red vs. Blue team’ exercises where one group tried to breach a set of cybersecurity controls while another tried to thwart the attackers.
However, with the pandemic’s severe economic impact, furlough and home working, the DCMS report and other data points, suggest that these types of progressive strategies have stagnated or suffered decline - with just three in 10 businesses (31%) having a business continuity plan that covers cybersecurity.
The heart of the issue, like many others, stems from financial constraints. Even as cybersecurity testing and risk assessment has fallen – businesses are taking out more cyber insurance – jumping from 32% to 43% over the last year. In this context the potential benefit of a new wave of highly automated BAS tools should not be overlooked.
Automation to the Rescue?
The technology is advancing quickly and as more security vendors implement open API driven capabilities, automated BAS (ABAS) can potentially carry out much of the infosec ‘grunt work’ far quicker than human administrators. For example, testing that firewall rules are working as expected across hundreds of potential access scenarios, or comparing data from hundreds of device logs to detect configuration changes that may expose a potential vulnerability – are just two from a myriad of useful functions.
Yet automation can only take an organization so far. Even with all the claims of magic AI that swirl around the cybersecurity industry, these tools still need a modicum of expertise to deliver quantitative value. Furthermore, our own data shows that 71% of security decision makers believe the increasing amount of time they spend managing tools inhibits their ability to effectively defend against threats. This phenomenon, known as “tool sprawl,” demonstrates that organizations will need to look beyond simply adopting the current popular automated security solution.
Establishing a Balance
One main option for strengthening cybersecurity competency is through managed services, and the data suggests four in 10 businesses (38%) now have an external cybersecurity provider. Choosing the correct provider in this context is becoming essential, as well as selecting the right type of solution for the specific needs of a given organization. Endpoint security remains a popular choice for managed services, but research shows promise in an emerging technology known as XDR (extended detection and response) and Open XDR, which promises a more seamlessly automated security experience across tools.
At the end of the day, improving security will all come down to organizations finding the right balance when investing in people, processes and technology. Although a broad generalization, ABAS can offer the most value where organizations have a core of competent IT staff that have limited time to dedicate to conducting ongoing security assessment duties, as well as the right solutions that integrate with their existing security stack without placing any additional burden on security teams.