A global survey of 4,700 IT professionals published this week by Cisco found the leading types of incidents were network or data breaches (52%) followed closely by network or system outages (51%), ransomware events (47%) and distributed denial-of-service attacks (46%).
Overall, the survey found 62% of organizations experienced a security event that impacted business in the past two years in the form of IT and communications interruption (63%), supply chain disruption (43%), impaired internal operations (41%) and lasting brand damage (40%).
Not surprisingly, a full 96% of respondents said security resilience is now a high priority, the survey found.
Wendy Nather, head of advisory CISOs for Cisco, said the survey made it clear organizations are changing their approach to cybersecurity as they continue to cope with a chronic shortage of cybersecurity skills at a time when attacks continue to increase in volume and sophistication.
Cisco also ranked survey respondents based on their overall level of resilience. Organizations that, for example, have a mature zero-trust model have a 30% higher resilience score compared to those that have none. Advanced extended detection and response (XDR) capabilities correlated to a 45% increase in resilience compared to organizations with no detection and response solutions. Secure access service edge (SASE) solutions delivered via the cloud give organizations a 27% higher security resiliency rating.
Organizations that reported poor security support from the C-suite scored 39% lower than those with strong executive support, while businesses that reported an excellent security culture scored 46% higher on average.
Exactly where IT resources are located seems to have a limited impact on cybersecurity resiliency. Organizations that are either mostly on-premises or mostly based in the cloud had the highest, and nearly identical, security resilience scores. However, organizations that are in the initial stages of transitioning from an on-premises to a hybrid cloud environment saw resilience scores drop between 9% and 14% depending on how difficult the hybrid environments were to manage.
The survey also found that organizations with dedicated resources for responding to incidents have a 15% higher resilience score, noted Nather.
In general, most organizations realize they can’t prevent every breach, added Nather. Focusing on resilience enables organizations to reduce not just the number of breaches but also the blast radius of a breach once it occurs. In fact, the best cybersecurity professionals are opting to work for organizations that have a reasonable expectation of what level of cybersecurity can really be attained and maintained, she noted. At a time when demand for cybersecurity expertise remains high, Nather noted that the culture of an organization matters.
The nature of attacks being launched has never been more diverse. Cybersecurity professionals are not only attempting to thwart multiple techniques and tactics but also anticipate how cybercriminals will adapt to target multiple classes of platforms now deployed across an extended enterprise. Each organization needs to decide what level of risk is acceptable, but it’s clear there has never been as much focus on cybersecurity as there is today. The issue now is finding a way to harness all that attention in the most efficient way possible because cybersecurity budgets are still far from unlimited.