Despite Increased Attacks, Security Remains Low Priority for Business
Research finds criminals increasingly target business, but security programs are not caught up to the current threat landscape
Criminals will always go where the money is, and several pieces of recent research finds they are increasingly directing their efforts at business targets in an effort to earn a bigger payout. Yet, many organizations still struggle to find adequate funding and resources to build out their security strategy, despite the increase in risk.
A recent report from Malwarebytes finds businesses—rather than consumers—bore the brunt of attacks in 2018. The annual “State of Malware” report looks at data from January through November 2018 with data collected by honeypots, virtual sandboxes and business and consumer products.
Ever the industrious group, criminals ramped up malware efforts and favored businesses over consumers in 2018 because that’s where the larger payoff lies. Business detections rose 79 percent over 2017, mainly due to the increase in backdoors, miners, spyware and information-stealers.
“From massive data breaches to ransomware attacks, businesses are experiencing what consumers have been dealing with, but on a larger scale,” said Marcin Kleczynski, Malwarebytes CEO, in a statement on the findings.
The United States, UK, Germany, France and Australia were in the list of top 10 countries with the most business detections by volume, per country. The report finds the Asia Pacific region had a significant increase in backdoor malware and exploits against endpoints.
Small Business in the Crosshairs
The numbers don’t just apply to the enterprise. Small businesses have also found themselves targeted with increasing ferocity in recent months. Almost half of all cyberattacks (43 percent) are now directed at small businesses, according to data compiled by the non-profit SCORE. Macro malware is the predominant type of cybercrime affecting small businesses, with online banking and ransomware attacks trailing close behind.
The takeaway is clear that it has never been more critical for businesses of all size to invest in and strategize around a comprehensive security program. Yet, building out a robust strategy is still a difficult proposition for business security leaders. In fact, a new Deloitte “2019 Future of Cyber” survey finds the battle for security skills and dollars continue to trouble organizations, with a significant gap between what organizations want to achieve in security and the reality of their risk mitigation efforts.
Disconnect Between Security Goals, Risk Realities
The Deloitte survey was conducted in conjunction with Wakefield Research among 500 C-level executives who oversee cybersecurity at companies with $500 million or more in annual revenue. That group included 100 chief information security officers, 100 chief security officers, 100 chief technology officers, 100 chief information officers and 100 chief revenue officers.
Among the findings of the survey:
- Many organizations are challenged by their ability to help better prioritize cyber-risk across the enterprise (16 percent).
- Only half of organizations (49 percent) have cybersecurity on their board agenda at least quarterly. Only 4 percent of respondents say cybersecurity is on the agenda once a month.
- A mere 14 percent of cyber budgets are allocated to securing digital transformation efforts.
- Less than 20 percent of organizations have security liaisons embedded within business units to foster greater collaboration, innovation and security.
- According to 65 percent of the CISOs surveyed, 21 percent to 30 percent of total cyber operations is outsourced, with nearly half (48 percent) of CISOs selecting insider threat detection as a top function for which they use third parties to manage.
- A majority (85 percent) of the survey respondents indicate that they are using Agile/DevOps in application development and then ranking DevSecOps lowest (11 percent) on the cyber defense priorities and investments areas, which may explain why 90 percent of organizations surveyed experienced disclosures of sensitive production data within the past year.
Bridging the Gap
Recommendations from the report note CISOs appear to be “building the plane while they’re flying it.” To integrate security into an enterprisewide effort and achieve their desired business outcomes, security leaders will require more executive attention, budget, prioritization, people, tools, processes, governance and overall collective thought to effect change.
