Data from a survey of 1,200 enterprise security leaders reveals that an increase in tools and manual reporting combined with control failures are contributing to the success of threats such as ransomware, which costs organizations an average of $1.85 million in recovery, according to Panaseer.
Control failures lead to cybersecurity incidents
Currently, only 36% of security leaders feel very confident in their ability to prove controls were working as intended. This is despite 99% of respondents believing it’s valuable to know that all controls are fully deployed and operating within policy, and cybersecurity control failures are currently being listed as the top emerging risk in the latest Gartner Emerging Risks Monitor Report. Attacks only succeed when they hit systems that haven’t been patched or don’t have security controls monitoring them.
82% of security leaders have been surprised by a security event, incident, or breach that evaded a control(s) thought to be in place. It takes multiple control failures for an attack to be successful. In their experience, the respondents stated that it took an average of five or more control failures for an event, incident or breach to succeed.
The report also confirmed that only 40% of security leaders can confidently understand and remediate underperforming controls and track improvement. 60% of the security leaders lack strong confidence in their ability to continuously measure security controls that mitigate the infiltration, propagation, and exploitation of a successful ransomware attack.
Security teams are grappling to manage a growing number of security tools
The rise in threats and shift to cloud-enabled remote working has increased the number of security tools used by large enterprises. On average, enterprise security teams are grappling to manage 76 discrete security tools, a significant jump from 2019 when the average was 64. An increase in tools can also increase reporting requirements.
According to the report, security teams spend more than half their time (54%) manually producing reports for the Board, regulators and auditors. This is an increase of over a third from 2019 when security teams spent on average 40% of their time manually producing reports. The main tasks involved in manual reporting include: extracting data, moving data, cleaning data, merging data, making calculations and formatting and presenting data.
Databases topped the list of assets into which security teams had least visibility (27%), followed by devices (17%) and then Internet of things (16%). The lack of visibility around databases correlates with a sharp rise in ransomware attacks, which have quadrupled during the pandemic and the National Cyber Security Centre recently cited as “the most immediate danger to UK businesses.”
Jonathan Gill, CEO, Panaseer: “The number of security tools continues to grow to meet the increasing threat and fast-evolving technology landscape. These tools produce vast amounts of data, but unfortunately, the data does not always join together, and this has now become a data science problem.”
“Many organizations try to resolve this with spreadsheets and other in-house solutions that simply increase the reporting and administration burden on precious cybersecurity resources. It’s almost impossible to understand an organization’s assets, the status of controls relating to those assets, and the business context or ownership of the associated vulnerabilities. Most attacks happen despite organizations having invested in controls to defend themselves, but finding those controls were not deployed across all assets as intended.”
When asked what changes they have experienced since the beginning of the pandemic, security leaders cited a 42% increase in unpatched vulnerabilities, and 46% more events, 42% more incidents and 47% increase in breaches.