Computerweekly.com 03 Nov 2017 Warwick Ashford Security Editor
Businesses are nowhere near prepared enough for a cyber attack, according to a poll of information and security professionals
IT Security teams are on the verge of a huge crisis, a poll of CISOs, CIOs and senior cyber professionals has revealed.
The cyber professionals identified significant internal and external challenges they believe dramatically impact their ability to defend their organisations from cyber crime.
The warning comes just months after a cyber governance health check, and a survey of the UK’s top 350 companies revealed more than two-thirds of boards had no training to deal with a cyber incident and one in ten operate without a response plan for a cyber incident.
Some 600 UK and US cyber professionals polled as part of RedSeal’s second annual Resilience Report, identified four key areas of concern which, unless addressed quickly, they believe will expose businesses to significant cyber threats.
First, is the complex threat landscape that is outpacing security teams’ capabilities. More than half (54%) of senior cyber security professionals report they do not have the tools and resources they need, 55% said they cannot react quickly enough to limit damage in the event of a major security incident, and 79% said their organisation cannot access insights to prioritise their response to an incident.
Only one in five said they were “extremely confident” their organisation will continue running as usual upon discovery of a cyber attack or breach.
In February 2017, a Ponemon Institute report found high performing UK companies with a high level of cyber security maturity are leading in cyber resiliency, but most have to work on operationalising incident response plans.
According to the RedSeal research, the UK respondents appear to be much more apprehensive about their organisation’s resilience to attack, than their US counterparts. The figure almost doubled in the UK compared with the US when asked how concerned they were that their business could keep running as normal.
Second, the poll revealed that a lack of preparation is pervasive, with only 25% of respondents’ organisations testing their cyber security response to a major incident annually, if at all. The survey also showed that as time since the last test increases, executives’ confidence in the plan decreases.
On average, it has been nine months since organisations created a complete blueprint, model or map of their entire network. This means pathways through their constantly changing network – and access to their most valuable assets – are neither confirmed to be secure nor clearly known at all.
Some 55% of respondents admit test their strategies frequently enough, 29% because it is resource intensive, 27% because it is outside their budget, and 26% because it takes too much time.
Third, the respondents said there is a dangerous gap between perceived and true detection times. Once a network is compromised, the report said a cyber attack tends to “fester” until it is detected and resolved.
The report also reveals an industry-wide discrepancy between how long it takes from when an organisation’s network is compromised to when they become aware of the event.
When ranking their capabilities, cyber pros voted “detection” as their strongest area (40%), with respondents reporting it takes an average of six hours to discover an incident, but other studies have revealed that in reality, the “time to detect” is drastically different.
Time to detection ranges from 24 hours, according to the 2017 SANS Incident Response Survey, to 49 days, according to the 2017 Trustwave Global Security Report, while it can take up to 99 days, according to Mandiant’s M-Trends 2017 Report.
The RedSeal Resilience Report said that despite detection being considered the security teams’ greatest strength, companies are struggling and not fully informed, citing as an example the fact that Sonic did not know it had been hacked until their credit card processor informed them of unusual activity.
Sonic acknowledged the breach, which compromised more than five million credit cards, only 11 days after the first batch of cards were uploaded for sale.
Fourth, the poll revealed that in many cases compliance and not strategy is driving security planning, with 97% of respondents reporting that external regulations play a major role in their cyber security and resilience planning and implementation.
The RedSeal poll reveals that 92% of organisations have had to adapt the way that they meet regulatory requirements due to the use of public cloud platforms such as Amazon Web Services (AWS) and Microsoft Azure, while 12% said their organisations had to do a total rethink, and 49% said they had to make significant changes.
Only 27% are completely confident their IT systems can support regulatory requirements, which means 73% of companies might not meet the requirements for using public clouds and may be more exposed to attacks and breaches.
“Having any one of these four areas – resources, preparation, detection and overarching strategy – in crisis is dangerous. Combined, they’re the harbinger of security disaster for any organisation,” said Ray Rothrock, CEO and chairman of RedSeal.
“This report underscores the urgency for the leaders of cyber strategy to pivot and aggressively pursue resilience, the ability to maintain business as usual while navigating an attack, as the new gold standard. Being prepared is the best defence.”
Cyber risk a business risk
CEOs must recognise cyber risk is also a business risk, and it should be treated as such, said Rothrock. “Yes, they should deploy security software and be prepared to fend off would-be hackers. However, technology alone is no longer sufficient for protecting an organisation’s data and reputation. They must support their tactics – and their business – with an informed strategic approach to cyber security,” he told Computer Weekly.
Businesses will eventually be compromised if any one of these areas is at risk, or not performing at its best, said Rothrock.
“The fact that respondents pointed to all four as being at risk is a huge red flag. Moreover, nearly everyone (97%) reports that external regulations play a major role in their cyber security and resilience planning and implementation.
“That means they’re paying attention to the rules. However – given they also report they last created a map of their entire network nine months ago – there’s no way to know if their most valuable assets are accessible to bad actors,” he said.
Asked what the most urgent call to action would be, Rothrock said operational resilience – proactively managing through a crisis – is the new gold standard overall.
“On the cyber front, digital resilience – the ability to contain the bad guys when they’re inside your network, and protect high-value assets like customer data and content from exfiltration – will protect your networks and your vital financial assets.
“So, it’s important to know your network inside out. Know what’s important to your business and your customers, where it is, and make sure it’s secure. Our research showed 79% of senior IT professionals don’t believe they have the correct access to insights in order to prioritise their response to a breach.
“Networks change by the minute, and not only are organisations waiting the best part of a year to map or blueprint their entire network, but they are not updating their response plan in that time either.
“Tony A Gaskins reputedly said: “Success is never an accident; it’s always the result of a plan. They say chance favours the prepared, so get prepared and stay ready.”