ThoughtLab: Pandemic induced critical cyber security inflection point

The global research firm’s Cybersecurity Solutions for a Riskier World revealed that the pandemic has brought cyber security to a critical inflection point. The number of material breaches respondents suffered rose 20.5 per cent from 2020 to 2021, and cyber security budgets as a percentage of firms’ total revenue jumped 51 per cent, from 0.53 per cent to 0.80 per cent.

During that time, cyber security became a strategic business imperative, requiring CEOs and their management teams to work together to meet the higher expectations of regulators, shareholders and the board. In addition, the role of the chief information security officer (CISO) expanded, with many taking on responsibility for data security (49 per cent), customer and insider fraud (44 per cent), supply chain management (34 per cent), enterprise and geopolitical risk management (30 per cent), and digital transformation and business strategy (29 per cent).

Yet, according to ThoughtLab researchers, 29 per cent of CEOs and CISOs and 40 per cent of chief security officers admit their organisations are unprepared for a rapidly changing threat landscape. The reasons cited include the complexity of supply chains (44 per cent), the fast pace of digital innovation (41 per cent), inadequate cyber security budgets and lack of executive support (both 28 per cent), convergence of digital and physical assets (25 per cent), and shortage of talent (24 per cent). The highest percentages of unprepared organisations were in critical infrastructure industries: healthcare (35 per cent), the public sector (34 per cent), telecoms (31 per cent), and aerospace and defence (31 per cent).

Over the next two years, security executives expect an increase in attacks from social engineering and ransomware as nation-states and cyber criminals become more prolific. Executives anticipate that these attacks will target weak spots primarily caused by software misconfigurations (49 per cent), human error (40 per cent), poor maintenance (40 per cent), and unknown assets (30 per cent).

According to Lou Celi, CEO, ThoughtLab and the program’s research director, the move to digital during the pandemic – and now escalating geopolitical tensions – are ushering in a new era of cyber security risk that will require stronger leadership and wider teamwork among C-suite executives and their staff.

“While there is no silver bullet, our evidence-based research reveals that organisations need to take their cyber security programs to a higher level of excellence by ensuring they are proactive, risk-based, human-centric, digitally advanced, and properly resourced,” Celi said.

As part of ThoughtLab’s evidence-based research, the company’s economists assessed the cyber security performance of corporate and government organisations against 26 metrics, including times to detect, respond to, and mitigate a cyber security breach, as well as the number of material breaches suffered.

The benchmarking study revealed 10 best practices that can reduce the probability of a material breach and the time it takes to find and respond to those that happen:

VIEW ALL

Take cyber security maturity to the highest level

Organisations that are most advanced in applying the NIST cyber security framework outperform others on key metrics, such as time to detect a breach (119 days for advanced v 132 days for others). They also have fewer annual material breaches (0.76 for advanced v 0.81 for others).

Ensure cyber security budgets are adequate

ThoughtLab’s analysis found a clear correlation between investment and results. Respondents reporting multiple material breaches in 2021 spent 12.3 per cent of their total IT spending on cyber security, while those reporting no material breaches in 2021 spent an average of 12.8 per cent, or $4.7 million more. Organisations that spent more also reported faster times to detect and mitigate a breach.

Build a rigorous risk-based approach

On average, risk-based leaders – i.e. those most advanced in quantitative analysis of risk probabilities and impacts – saw 22.5 incidents and 0.75 material breaches in 2021 v 27.1 incidents and 0.88 material breaches for risk-based beginners. In addition, 50 per cent of top performers in time to mitigate took a risk-based approach v 17 per cent of poor performers.

Make cyber security people-centric

Cyber security is as much about humans as it is about technology. Organisations see fewer breaches and faster times to respond when they build a “human layer” of security, create a culture sensitive to cyber security risks, build more effective training programs, and develop clear processes for recruiting and retaining cyber staff.

Secure the supply chain

For 44 per cent of respondents, the growing use of suppliers is exposing them to major cyber security risks. Top performers in time to detect, respond, and mitigate are far more mature in supply chain security. For example, over half of organisations with excellent times to detect are advanced in supply chain security v 25 per cent of those with poor times to detect.

Draw on latest technologies but avoid product proliferation

Organisations with no breaches invest in a mix of solutions, from the fundamentals such as email security and identity management, to more specialised tools such as security information and event management systems (SIEMs). These organisations are also more likely to take a multi-layered, multi-vendor security approach to monitor and manage risks better through a strong infrastructure.

Prioritise protection of links between information and operating technologies

With digital and physical worlds converging, the attack surfaces for respondents are widening. Organisations that prioritise protection of interconnected IT and OT assets experience fewer material breaches and faster times to detect and respond.

Harness intelligent automation

Automation, combined with AI and orchestration, helps CISOs deliver results while freeing up staff from mundane tasks. For example, about three out of 10 organisations with excellent dwell times (the time to detect and remediate) use smart automation v 17 per cent of organisations with poor dwell times.

Improve security controls for expanded attack surfaces

Attack surfaces widened during the pandemic because of greater digital transformation, cloud migration, remote working and supply chain complexity. Research shows that more companies need to put security controls in place to cover their expanding technology environments.

Do more to measure performance

Currently organisations track just 4.2 cyber security metrics on average. Executive teams that are more assiduous – monitoring six or more metrics – experience fewer incidents and material breaches. They also respond faster to attacks.

A coalition of cyber security experts from leading companies, associations, and universities

The research program drew on the expertise of a diverse group of cyber security leaders and experts from across the private sector, government and academia.

The group includes global consulting sponsor Booz Allen Hamilton; lead sponsors Elastic, KnowBe4, Skybox Security, Securonix, Claroty, Axis Communications, Votiro, and Zenkey; supporting sponsors ServiceNow, CyberCube, and Resolute Strategic Services; and research partners Internet Security Alliance and ISF.

The advisory board consists of CISOs and other cyber security experts from a cross-section of industries.

Commenting on the study, Paul Sussman, vice president at Booz Allen Hamilton emphasised that there is more work to be done beyond the ThoughtLab study.

“The research shows that firms have made considerable progress against cyber security frameworks like NIST, but they need to do more to keep their organisations safe.

“This landmark study fills a growing need for industry-specific cyber security metrics that companies can use to measure their performance against their peers,” Sussman said.

[Related: Italy’s institutional websites targeted by pro-Russian hackers]