According to Trend Micro’s biannual Cyber Risk Index (CRI) report, 80 per cent of respondents from enterprises expect to experience a data breach that compromises customer data in the next 12 months.
The report surveyed more than 3,600 businesses of all sizes and industries across North America, Europe, Asia Pacific, and Latin America for their thoughts on cyber risk. Despite an increased focus on security due to high-profile ransomware and other attacks in the past year, respondents reported a rise in risk due to inadequate security processes like backing up key assets.
Why security risk is rising
Organisations are overwhelmed as they pivot from traditional to distributed networks. Pandemic-driven work-from-home growth is potentially how businesses will be run going forward. That distributed network means that it’s harder for IT staff to know what assets are under their control and what security controls should be in place. With the line blurring between corporate and personal assets, organizations are overwhelmed with the pace of change.
Cloud deployments can bring their own complications as they are often misconfigured or leave credentials behind for attackers to find in such locations as GitHub. The cloud also has brought more platforms for attackers to go after. While Windows used to be the major target, now attackers are pivoting to attacking Linux and IoT devices.
Where security risk is rising
The Trend Micro CRI report identified the following areas of having elevated risk worldwide, meaning they scored below 5 on a scale of -10 to 10, where 10 is the lowest level of risk.
- Ability of enabling security technologies to protect data assets and IT infrastructure: 4.05
- IT security leader (CISO) has sufficient authority and resources to achieve a strong security posture: 4.09
- The organisation is involved in threat sharing with other companies and government: 4.37
- IT security function supports security in the DevOps environment: 4.40
- IT security function has the ability to know the physical location of business-critical data assets and applications: 4.45
North American respondents had a different list with lower ratings:
- IT security function is able to prevent most cyberattacks: 2.55
- IT security function is able to contain most cyberattacks: 2.80
- The organisation is involved in threat sharing with other companies and government: 3.16
- Ability of enabling security technologies to protect data assets and IT infrastructure: 3.21
- IT security function is able to detect zero-day attacks: 3.32
The reports’ top threat risks include man-in-the-middle attacks, ransomware attacks, phishing and social engineering, fileless attacks and botnets. Again, firms are concerned that their firms can prevent or detect most cyberattacks, let alone zero-day attacks.
Data types most at risk worldwide, according to the report, are business communication (email), financial information, analytics (data models), consumer data, and company confidential information. The top security risks in infrastructure are organisational misalignment and complexity, cloud computing infrastructure and providers, negligent insiders, shortage of qualified personnel, and malicious insiders.
Mitigating security risk
Firms need to spend more time and resources protecting key data repositories. Too often they are easy to target and identify as they have patterns that can be scanned for. Credit card numbers have a distinctive pattern when they are stored in databases, thus you must ensure that they are properly encrypted in transit, in storage, and at rest.
Keeping up with patching processes is important but difficult for most businesses. The concern is just as much about defending against targeted zero days as well as day-to-day patching processes.
Often firms are unaware of what is attacking them and must defend not knowing what their true risks are, but they lack the ability to share information about threats. Companies should consider joining an Information Sharing and Analysis Center (ISAC) dedicated to their industry. It’s a great way to get early warning of threats and advice for mitigating them.
The typical network generates vast and complex log data. If you don’t plan log archives ahead of time, you will lose information you need to properly perform investigations and understand how the attackers got into your network and what they accessed while they were in the network.
Pay attention to cloud and IoT risks. Too often cloud services are not set up with appropriate permission settings to facilitate ease of deployment. Review the flows for application permissions in cloud services to ensure they are set to where the administrator of the firm must approve new applications deployed in the network. Place appropriate focus on both security technological solutions as well as hiring appropriate staff to assist in sound security technologies.
Most important, the Trend Micro CRI survey showcases the need to focus on risk management and prioritising the threats. Once you have that assessment (and presumably buy-in from company leadership), it will be easier to align security mandates across the network and take on other initiatives such as minimising complexity in your network.