Organizations Not Ready for Changing Threat Landscape

Some 40% of CSOs globally say their organizations are unprepared for a rapidly changing threat landscape. That’s according to a new ThoughtLab study.

The study analyzed the cybersecurity strategies and results of 1,200 large organizations across 14 different sectors and 16 countries. It represents more than $125 billion in annual cybersecurity spending.

Other key findings from the study include:

• The average time it takes organizations to respond to a breach is 47 days.
• Attackers spend on average 25 days undetected on a system.
• Security executives expect an increase in attacks in the next two years. They cite as root causes misconfigurations (49%), human error (40%), poor maintenance (40%) and unknown assets (30%).

Breaches Took Significant Toll

Gidi Cohen is CEO and founder of Skybox Security, which worked with ThoughtLab on the report.

ThoughtLab’s Gidi Cohen

“When breaches occurred, they took a significant toll,” he said. “Affected organizations reported that the greatest impact was the reputational loss, followed by business disruption, followed by the cost of the breach response. Most of the organizations surveyed were large. Three-quarters had revenue over $1 billion (average was $21.5 billion) and 55% had more than 10,000 employees (average 45,000).”

Cybersecurity providers must prioritize innovative solutions that enable their customers to anticipate, identify and mitigate risks in advance, Cohen said.

“Historically, traditional cybersecurity approaches have focused on reactively identifying a breach,” he said. “To illuminate a new path forward for breach prevention, modern cybersecurity solutions regularly assess risk probabilities and impacts, conduct advance risk scoring and path analysis, support enterprise-wide risk management, and enable customers to proactively mitigate risks.”

Pandemic ‘Critical Inflection Point’

The research revealed the pandemic has brought cybersecurity to a critical inflection point. The number of material breaches respondents suffered rose 20.5% from 2020 to 2021. In addition, cybersecurity budgets as a percentage of firms’ total revenue jumped 51%. During that time, cybersecurity became a strategic business imperative, requiring CEOs and their management teams to work together to meet the higher expectations of regulators, shareholders and the board.

Moreover, the role of the CISO expanded, with many taking on responsibility for data security (49%), customer and insider fraud (44%), supply chain management (34%), enterprise and geopolitical risk management (30%), and digital transformation and business strategy (29%).

Yet 29% of CEOs and CISOs admit their organizations are unprepared for a rapidly changing threat landscape. The reasons cited include:

• The complexity of supply chains (44%).
• The fast pace of digital innovation (41%).
• Inadequate cybersecurity budgets and lack of executive support (both 28%).
• Convergence of digital and physical assets (25%).
• The shortage of talent (24%).

The highest percentages of unprepared organizations were in critical infrastructure industries. Those include health care, the public sector, telecoms, and aerospace and defense.

Some 48% of organizations with no breaches in 2021 were leaders in risk-based cybersecurity, Cohen said.

More Cybersecurity Awareness Training Needed

Stu Sjouwerman is president and CEO of KnowBe4, a sponsor of the study on the threat landscape.

KnowBe4’s Stu Sjouwerman

“The focus today is too much on trying to prevent data from leaving, instead of stopping attackers from ever getting in,” he said. “I would expect to see more focus on security awareness training to reduce the threat surface of phishing, a primary attack vector in nearly every kind of cyberattack. This kind of training helps to establish good cyber hygiene, a sense of vigilance, and has been shown to reduce the risk of users falling for social engineering tactics employed within phishing attacks.”