Cyber Risk Index (2H’ 2021): An Assessment for Security Leaders
Let’s dig into the results a bit further to identify areas of greatest concern across regions.
1. Top five security risks
With the global Covid-19 pandemic continuing as well as many successful ransomware attacks and breaches occurring, it does appear that many organizations felt some areas of their preparedness may be more of a concern now than in the past. Below are the top five security risks around their infrastructure:
- Mobile/remote employees
- Cloud computing infrastructure and providers
- Across 3rd party applications
- Malicious insiders
- Mobile devices such as smart phones
The pandemic brought a major shift from working in office to working from home (WFH), and many organizations had to quickly figure out how to secure these employees. As seen above, this is the biggest concern from respondents and will likely continue. Similarly, businesses showed concerns about mobile devices which are being used more by employees to conduct business remotely.
We also saw an acceleration with cloud implementations during the pandemic and as such it’s not surprising this area of the infrastructure is of major concern. Both WFH and cloud implementations also mean a higher reliance on third-party applications being utilized, and respondents recognize this as a threat. Lastly, malicious insiders are a staple in this list and is one of the hardest areas to protect against for organizations.
2. Lack of preparation
Globally, respondents indicated the lowest number for preparedness out of all 31 questions in this area: My organization’s IT security function supports security in the DevOps environment. As more organizations shift left to the cloud in support of rapid code development, it has become an area of real concern for securing this environment within an organization.
3. Successful cyberattacks seem imminent
When asked about attacks in the past 12 months and future attacks for next year, the results don’t bode well for 2022. Globally, 84% experienced one or more successful attack, and 35% had seven or more successful attacks in the past 12 months. Additionally, 76% say it is somewhat to very likely they will have a successful attack in the next 12 months. Even though this was a 10% drop from the first half, this again appears to indicate organizations know they are not prepared enough to defend against new attacks.
Top global threats
The CRI is designed to help organizations understand where their highest risks lie and identify areas where they can improve their preparedness. We cannot change what the attackers will do in the future, but the CTI will continue to help us understand if attackers are being more aggressive. From the 1H’2021 to 2H’2021, the top threats globally are:
- Ransomware
- Phishing and social engineering
- Denial of service (DoS)
- Botnets
- Man-in-the-middle attack (MitM)
Ransomware was and will continue to be a major concern for everyone, so it is unsurprising this threat landed at number one. Phishing and social engineering is used in most attacks, mainly for the initial access into a network. One interesting threat is DoS, as we’re seeing some ransomware-as-a-service groups employ this in a multiple extortion attack. MitM attacks may be rising due to the perception that supply chain attacks (a form of MitM) are increasing.
Improving your cyber risk
The good news from the 2H’2021 CRI is that we are seeing organizations starting to understand that they need to improve their cyber risk, which is done through a process of improving their people, process, and technology (PPT) within their business. Since the CRI looks at all three of these areas, an improvement to the total CRI could be due to any one, or all, of these categories.
Based on the results, these are the areas of preparedness that need the most work to address the perceived areas of highest risk:
- My organization’s IT security function supports security in the DevOps environment.
- My organization’s IT security leader (CISO) has sufficient authority and resources to achieve a strong security posture.
- My organization’s IT security function strictly enforces acts of non-compliance to security policies, standard operating procedures, and external requirements.
- My organization’s IT security function can know the physical location of business-critical data assets and applications.
- My organization’s IT security leader reports to senior leadership (such as the CEO, COO, or CIO).
- My organization makes appropriate investments in leading-edged security technologies such as machine learning, automation, orchestration, analytics and/or artificial intelligence tools.
- My organization spends considerable resources evaluating third-party security risks (including the cloud and the entire supply chain).
In order to address these concerns, CISOs and security leaders should look for a unified cybersecurity platform instead of investing in several disconnected point products across the enterprise. As we stated, the growing attack surface due to remote workers (more devices) as well as evolving threats means organizations need total visibility to better understand, communicate, and mitigate threats. This necessary visibility cannot come from disperse products, but rather a cybersecurity platform which correlates and consolidates deep threat data across the digital attack surface.
Consider a platform backed by continuous threat monitoring, risk insights, extended detection and response (XDR) and supports best approaches like Zero Trust. Broad integrations with third-party services like firewalls, SIEM, SOAR, etc., are equally important. All these features and capabilities will help reduce complexity for security teams, allowing them to investigate only the most critical threats. In turn, an organization’s cyber risk is reduced, enabling business innovation.
Next steps
The CRI is ongoing, and we update it each year to show trends around organizations’ ability to prepare and withstand attacks.
Check the webpage for more details and assets and try our CRI calculator to assess your own organization’s CRI against the current results: www.trendmicro.com/cyberrisk.