- One key finding of the report is that the cost of compromise is at an all-time high. Although the average number of attacks per organization per year has declined (from 455 to 440 per organization), the average cost per organization of responding to and recovering from cybersecurity incidents has increased significantly (from $3.7 million to between $4.8 million - $5.8 million).
The major reason behind this increase is the fact that detection and response times are too slow. This is due to deficiencies in planning for cybersecurity incident response and recovery back to trusted state. These deficiencies also result in unrealistic expectations for the time required to recover. Interestingly, even compliance with the basic cyber resilience practices has a positive impact on recovery time.
- Another key finding is that the attack surface of the Canadian organizations is expanding exponentially because of remote access to corporate networks. This creates new opportunities for malicious actors to succeed in their nefarious plans. In addition, most Canadian organizations have to comply with three or more government or industry regulations. These relate to data or privacy (such as PIPEDA/Digital Privacy Act, SOX or GDPR).
Canadian organizations are adopting cloud solutions to migrate their infrastructure. These cloud security strategies are not keeping up with the adoption rate. Less than 60% of organizations update their public cloud environments within a week of patch release. This leaves them vulnerable to targeted attacks conducted by malicious actors.
- Last but not least, the security strategy of the Canadian organizations is shifting from protection to detection and response. Although traditional perimeter and endpoint security solutions will continue to be deployed, they are beginning to be complemented by AI, machine learning and new detection techniques. These three forces are key enablers for enhancing Canadian organizations' security posture.
Discussion on the findingsThe report identifies that most organizations are barred from performing timely patching or software updates. To be fair, patching continues to be a difficult challenge for organizations of any size. Even with the best intentions, there are significant obstacles that delay patching. If we want to be precise, the decision to either roll out, unroll or disregard a specific patch falls within the larger context of vulnerability management. This is a security practice designed to proactively mitigate or prevent the exploitation of vulnerabilities.
Vulnerability ManagementVulnerability management is more than just getting alerts whenever your infrastructure needs a patch applied. It is about making informed decisions and properly prioritizing what vulnerabilities to mitigate and how. This is achieved by embedding internal hooks for telemetry into all systems of interest as well as external hooks for threat intelligence from all sources. Vulnerability management has to be backed up by good threat intelligence that provides a deeper understanding of how and why threat actors are targeting certain vulnerabilities and ignoring others. Intelligence on vulnerability exploitability prepares your organization to strike the correct balance between patching vulnerable systems and interrupting business operations.
Top Three Organisational ConcernsThe report also mentions that the top three organizational concerns relating to security posture are about the end-user risk. Specifically, untrained staff who may result in insider threats, mobility threats and confidential and sensitive data not being backed up. Unfortunately, the human factor is still a security program’s weakest link since nearly half of the companies surveyed do not conduct formal security training to help employees identify scams such as phishing or how to properly care for sensitive data. Although there are various technological advances for behavioral analytics, organizations should not be over-reliant on technology. User awareness programs should be developed in a manner that promotes cybersecurity culture as an integral part of the organizational culture.
The Golden Triangle of CybersecurityThis brings into discussion the Golden Triangle of cybersecurity: technology, people and processes. Many companies have invested heavily in acquiring technology to detect intrusions; however, they have not invested in training staff to properly configure and update these systems or align the tools with a larger security strategy. On the other hand, the lack of streamlined processes overload security teams with repetitive tasks and false positives. Once properly identified, these can be carried out by automated security orchestration solutions. The use of such automation solutions, leveraging the power of AI and machine learning, will free up time for the security teams to detect intrusions. The Scalar security study highlights just this. There is a need for a change of attitude and for developing people and process to streamline workflows and even automate some of these functions. Speaking about processes, it is also interesting to note that updates to existing incident response plans occur following a security incident or because of changes to industry standards or government legislation. Considering the cost of a security breach, this is one area that really cannot afford to be neglected. There are many excellent reasons to update an incident response plan, but less than 40% of organizations are completing these updates.
Incident Response PlansOrganizations that have experienced a security breach know that during a breach it is not the moment to discover that the incident response plan needs to be updated. As a result, the costs associated with responding to, and recovering from, cybersecurity incidents are going up. Most of these costs are because of slow detection and response as well as deficiencies in planning. As Scalar's Chief Technology Officer Theo Van Wyk wrote on a blog, “incident response documentation cuts downtime and saves money.”
RegulationsA final thought. Most Canadian organizations are obliged to comply with numerous government or industry regulations. These are made for a good purpose – to protect our personal identifiable information (PII) and the organizations’ assets. But what happens when this plethora of regulations adds to the complexity of cybersecurity, especially if some measures or prerequisites are contradicting? The confluence of a threat landscape that is constantly evolving, an attack surface that is rapidly evolving and security compliance requirements that are increasingly complex makes cybersecurity an extremely difficult undertaking.
Final TakeawaysThe reality is that there is no immunity against intrusion, operational disruptions and data theft. Thus, while prevention remains a key part of any cyber defense strategy, detection and remediation are quickly becoming critical focus areas for many organizations. These changes necessitate a new security approach, one that
- integrates each of the security technologies into a whole, enabling transparency and centralized policy controls;
- employs automation through an integrated security platform to minimize time-to-detect and time-to-respond, as it should also demonstrate compliance with industry regulations and security standards;
- adopts a proactive security posture which relies on real-time threat intelligence and its dissemination across and between each security element; and
- leverages the power of AI and machine learning to extend security capabilities to identify unknown threats, minimize false positives or pinpoint potential user and endpoint threats.
The thing a lot of security folks tend to forget is that cybersecurity risk is, at the end of the day, a business risk. A business risk needs to be mitigated based on the likelihood and impact it has to the business. As we see in this study, the cost of recovering from a security incident is increasing significantly whereas the number of incidents has remained fairly stable. In order to effectively mitigate this risk, a solid foundation of security controls should be implemented. The Centre for Internet Security recommends that organizations should start with knowing what’s on their network, ensuring that those assets are appropriately hardened and confirming that the vulnerability risk on those assets are mitigated. Only once an effective foundation is built will advanced detection techniques also be effective.Tripwire’s products integrate the CIS security controls into their functionality so that they can better product organizations. Click here to learn more about this integration.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.