- Security TWENTY
- Women in Security
CISOs face a rising ‘security debt’ to secure their workplaces against an increasing volume of attacks by well-armed criminals. Yet despite going up against a criminal industry that enjoys advantages of speed and shared weaponry, CISOs and their teams report turning away increasing volume of attacks and preventing more of them from becoming breaches or compromises, according to a new report from a cyber security firm.
Besides the example of high-profile ransomware attacks, service and affiliate models are making threat groups more effective, says F-Secure with Omnisperience. The sharing of tooling and offensive knowledge makes it easier to conduct more attacks against more targets. Near all the CISOs surveyed – 96 per cent – acknowledge that they face a well-organized criminal industry motivated by financial gain. About seven out of ten CISOs (72pc) say adversaries are moving faster than they are, and a similar number (69pc) say their adversaries have improved their attack capabilities in the last 12 to 18 months.
F-Secure’s Michael Greaves, security advisor for Managed Detection and Response says: “Despite pervasive ‘security debt’ and reporting a rising number of cyber attacks, CISOs say that say the number of incidents, which includes a breach or unauthorized access to a system, they faced remained pretty much the same. This could be because CISOs have made the right investments. However, it is the incidents that haven’t been discovered which worry us most. Because of the sophisticated nature of some of these attacks, organizations may not have the technology or people to identify they are in the middle of a compromise that, for example, may result in a ransomware deployment months down the road.”
The report suggests that employees are the primary attack vector, according to 71pc of the CISOs interviewed, as attackers take advantage of social channels to launch more sophisticated targeted attacks. The top three threats CISOs and their teams face are phishing, ransomware and business email compromise (BEC). Securing the mobile or remote workforce, which has exploded during the pandemic, presents a number of risks, particularly where employees and devices are separated from traditional controls that could prevent their compromise. And a majority of CISOs – 71pc – report that their ideas about what constitutes “good security” has evolved recently.
Criminals write, update and can integrate their own code while CISOs generally lack the scale and resources to develop their own tools. This creates a critical dependency on security vendors and constant questions about which tools are the right fit for them, the report suggests.
A report, CISOs’ New Dawn, is based on interviews with 28 CISOs from the United States; and the UK, and other European countries. Visit blog.f-secure.com/the-cisos-dilemma/.
Read the full report at: https://www.f-secure.com/en/business/resources/an-effective-security-leader/publication.