Looking for hard numbers to back up your sense of what’s happening in the cybersecurity world? Here are a few studies and surveys of the industry’s landscape to get a sense of the lay of the land—both in terms of what’s happening and how your fellow IT pros are reacting to it.
With last year’s outbreak of NotPetya, ransomware—malicious programs that encrypt your files and demand a ransom payment in bitcoin to restore them—became one of the most talked about forms of malware of 2017. Yet at the same time, the actual rates of malware infection began to plummet around the middle of the year, until by December 2017 it represented only about 10 percent of infections.
What happened? Well, it seems attackers have figured out that you catch more flies with honey than with vinegar, and rather than demanding your victims send you bitcoins, you can just infect their computers with bitcoin-mining software without their noticing instead. By early 2018, almost 90 percent of all remote code execution attacks were associated with cryptomining.
Are you tired of sending out nagging notes to company staffers insisting that they not just click on any old email attachments? Well, we’re afraid you’re going to have to keep at it, because according to Verizon’s 2018 Breach Investigations report, 92 percent of malware is still delivered by email.
One of the most common methods of email malware infection is through phishing attacks, which are becoming increasingly targeted. And security pros are taking notice. Out of the 1,300 IT security decision makers surveyed for CyberArk Global Advanced Threat Landscape Report 2018, 56 percent said that targeted phishing attacks were the top security threat they faced.
But the days when malware threats arrived in the form of .exe files attached to those emails— files that antivirus programs could easily assess and block—are falling behind us. Instead, so-called fileless malware is becoming more and more common. Fileless attacks exploit software already installed on the victim’s computer rather than attempting to download large executables; for instance, they might execute in a browser plug-in, as Microsoft Office macros, or exploit vulnerabilities in server programs to inject malicious executable code, as was the case with the Equifax breach. All told, 77 percent of compromised attacks in 2017 were fileless, according to the Ponemon Institute’s “The State of Endpoint Security Risk Report.”
Sometimes it can be difficult to explain to company management exactly what the bottom line is when it comes to cyberattacks. After all, barring an actual theft (or a ransom payment), money isn’t flowing out of the breached company’s bank account, so what’s the big deal, really? Ponemon offers one way to think about it in its report on the true cost of ransomware: the biggest hit to the company’s balance sheet will come in the form of enforced employee idleness as wrecked networks and dysfunctional computers provide no means to actually do work.
You probably aren’t going to stop all the attacks on your infrastructure; that’s why it’s necessary to identify breaches that have already occurred and repair the damage ASAP. On that score, things seem to be improving … barely. Ponemon’s 2017 Cost of Data Breach study found that organizations were able to identify data breaches on average within 191 days. That might sound like a shockingly high number—it’s more than six months!—but it’s marginally better than 2016’s figure, which was 201 days.
It’s often hard to find people in business having anything nice to say about government regulations. But according to Thales’ 2018 Data Threat Report, when it comes to securing sensitive data, companies are willing to give credit to regulators when credit is due. According to Thales’ survey, 64 percent of respondents around the world—and 74 percent of those in the U.S.— feel that adhering to compliance requirements is a ‘very’ or ‘extremely’ effective way to keep data secure. Perhaps that explains why, according to the 2018 IDG Security Priorities Study, 69 percent of companies see compliance mandates driving spending.
Does your company have a security executive in the c-suite, and if so, who do they report to? The question goes beyond upper-echelon office politics and gets to the heart of who does what in a company, and how they collaborate. For instance, in 75 percent of organizations surveyed in the 2018 IDG Security Priorities study, security and IT teams are part of the same department, with 25 percent having a standalone security department. But if a company has a dedicated CSO or CISO, they’re more likely to have security siloed into a separate department—in such organizations, that happens 40 percent of the time.
Industrial control systems—specialized computer hardware and software that provide the smarts for everything from manufacturing plants to nuclear power stations—are tempting targets for hackers. According to the Business Advantage State of Industrial Cybersecurity 2017 report, 54 percent of companies sampled experienced an industrial control system security incident within the past twelve months—and 16 percent had experienced three or more.
One possible explanation? Not enough care spent controlling who exactly can access these crucial systems. The report found that 55 percent of sampled companies allowed external parties, such as partners or service providers, to access their industrial control network.
Internet-connected industrial control systems represented the first wave of the internet of things; today, there are millions of IoT devices out there, representing a tempting attack surface that you need to protect. A 2018 report from Trustwave produced some dispiriting numbers when it comes to IoT security:
Take those two facts into consideration, and is it any surprise that 61 percent of those surveyed have already experienced an IoT security incident?
To end on a hopeful note, let’s take a look at the factors that drive security spending, according to the 2018 IDG Security Priorities Study. (Respondents could choose more than one factor, which is why these add up to more than 100 percent.)
Why do we say that’s hopeful? Well, it looks like organizations are approaching their security spending proactively, based on plans for the future and guidelines laid down by regulations, rather than playing catch-up and responding to attacks. What more can a CSO ask for?