How companies rate their cybersecurity status
Correct self-perception of your own IT defence
By Thomas Krause
providers on the topic
It is well known that cyber criminals are constantly working on their arsenal of new attack methods. SMEs, large companies, authorities and, most recently, educational institutions – they all have to arm themselves against new attacks and know it. Can and do they do it too?
A study by Cybersecurity Insiders on behalf of ForeNova among 236 IT experts in the USA and Canada from autumn 2022 shows how quickly and with which technologies companies react to attacks. The conclusion of the results of the survey also presented here: companies know the dangers , but often take too much time to recognize and defend against. If, for many of those surveyed, backups are the most efficient part of IT security, the question also arises: Are those responsible for cybersecurity already waging rearguard action or are they lulled by the deceptive security that attacks could not harm them anyway?
There is agreement on one point in particular: the potential and actual victims have no illusions about the versatility and strength of cybercriminals. The frequency of attacks will increase: This is what 78 percent of the companies surveyed in the study expect. The ransomware, which is prominent in the media, is only one fear factor – albeit a relevant one. After all, 32 percent of the companies surveyed were actually victims of attempts at blackmail.
In addition, the study participants see themselves threatened from various sides: 77 percent of the IT experts consider economically motivated and organized cybercrime as the greatest danger. Obvious, because this builds on the possibilities and the competence of an organized network of professionals with the aim of making a profit. Right behind them are the opportunistic hackers (64 percent) who use simple methods to quickly find a vulnerability. State-funded attacks (48 percent) seem a bit further away to most of those involved. But not only these main suspects seem to be feared. Almost every third respondent thinks most likely of the frustrated or former owner, every fifth of hacktivists and 15 percent even of the competition. Twelve percent even see dissatisfied customers as the greatest danger, 22 percent careless employees.
Delayed Defense Danger
If professional hackers get into the system, the consequences are often serious and for many security officers not immediately foreseeable. IT recognizes most attacks. But often only late, for example when the criminals already have access to up to ten percent of the data. According to their own statements, this is the case for 81 percent of those surveyed. At first glance, this may not sound like much, but if the information is sensitive, it can be enough to present a company with problems that threaten its existence. Even more frightening: one in ten respondents said they only noticed intruders when they already had access to 76 to 100 percent of the data.
If you want to prevent major losses or the unavailability of data and systems from targeted attacks, effective prevention and responsive defense must be in place. But even when reacting to the execution of an attack, many IT teams are not fast enough. When asked how quickly internal IT detects malware, around a fifth of those surveyed stated – on the one hand at least, but on the other hand only – that this happens almost in real time. For 22 percent, this takes place within a few minutes. If ransomware encryption or data exfiltration is executed immediately, that may already be too late. However, it takes 34 percent several hours or up to more than a full working day, and five percent even several days before IT notices a successful attack. It is alarming that every tenth company does not know when or if they would even detect attacks.
The answers to the question of how malware is typically discovered are remarkable. Respondents credit endpoint defenses (83 percent) such as anti-malware or anti-virus with the greatest share in detecting an intruding threat, followed by email and web gateways (55 percent) and an intrusion detection system (49 percent) This is followed by monitoring network traffic at 42 percent. (Figure 2). This last factor seems underestimated compared to the others. The conclusion that the security concepts mentioned first contribute the most to a successful defense should be treated with caution. Endpoint protection is certainly essential, takes action in the case of simple attacks or fends off the opportunistic start with antivirus functions. And despite the deserved attention to Advanced Persistent Threats (APTs): Opportunistic attacks are the majority in cyberwarspace. They are often at the beginning of complex attacks. Cybercriminals who use the information harvesting of automated scans to then spy on the network and determine worthwhile data and systems as targets will not be prevented by such a solution. Endpoint protection then quickly comes too late.
Poor lifeline: Backups and endpoint protection alone are no longer enough
While many respondents may give too much of a protective role to endpoint protection, which is surely necessary, other companies seem to over-rely on backup. 87 percent see backing up and restoring data as the most effective remedy against attacks. So they trust EDR more than threat intelligence (72 percent) or behavioral analysis (53 percent).
On the one hand, such a statement may reflect an inappropriate reliance on backups: restoring data and systems seems easy. But this is not the case. After all, it can take a long time for complex attacks to restart destroyed systems or re-enter data for a variety of reasons. During this downtime, high sales losses quickly accumulate. But the danger goes even further: professional attackers with blackmail intentions now locate the backups, encrypt or destroy them before the blackmail letter is sent out. Anyone who does not have a separate backup without a connection to the company network is exposed to this risk and feels a false sense of security. The same applies to users who do not check their backups for functionality: the number of companies whose backups cannot be imported, making them worthless, should not be underestimated. Second-generation ransom-mongers also threaten to disclose data, which no backup will do: the company hasn’t lost any data. Only someone else has them now too.
Anyone who sees backups and endpoint protection as the main defense or last resort against complex attacks is giving the professional attackers too much room. However, defending against complex new attacks in advance and thus in good time requires more far-reaching cyber defense concepts: observing network traffic and analyzing the behavior of users and endpoints or forensic analysis of data traffic in order to define points of entry and for the expected new attempt at to shut down hackers. Only those who recognize the first indications of attacks in advance will be able to protect and block endpoints in good time. Against the really dangerous attackers: the unknown ones or those who mask well-known attacks in a sufficiently new way. In addition to endpoint detection and response and network detection and response, he needs the help of experienced external IT experts.
About the author: Thomas Krause is Regional Director DACH at ForeNova.