New Cybersecurity Report Warns CIOs — ‘If You’re Breached Or Hacked, It’s Your Own Fault’
Getty
"For all the focus and investment in cybersecurity, the majority of businesses in the U.S. and U.K. are still leaving their doors wide open to attacks. Attacks that can potentially stop business operations for a few hours, and at their worst, wipe billions from the value of a company overnight." So says a new cybersecurity survey conducted by endpoint management specialists 1E and technology market researchers Vanson Bourne, a survey that questioned 600 IT operations and IT security decision-makers across the U.S. and U.K., and found that 60% of the organizations had been breached in the last two years and 31% had been breached more than once.
Sumir Karayi, CEO of 1E, told me that the research showed "the vast majority of successful attacks today are using known vulnerabilities in well-known software that have been patched already by software vendors. So, most of the successful attacks can be stopped just by knowing what you have out there and making sure itâs patched. But for about one-third of the IT estates of these organizations, the CIO's team doesn't actually know what hardware is out there or what software is running on it. So how are you going to patch that? I donât know those machines exist, or the software running on those machines."
I asked him if that meant that his message to the CIO and CISO community was that if youâre breached or hacked, it's your own fault. He paused, and then said "yes."
Doors wide open and eyes closed shut
Think about WannaCry or NotPetya (the 2017 ransomware attacks on computers running Microsoft Windows), he explained. "The vulnerabilities were known and patched. So why werenât we using those? Why werenât they applied? The reality is that most organizations are not focused on that. What a lot of the security teams are doing is deferring that responsibility for patching, when it's really the best defense, closing your doors and windows. And the research tells us that it isnât working."
That research claims that "despite significant cybersecurity investment in many areas, there has been very limited improvement with the largest factor in organizational vulnerability: keeping endpoints properly patched and updated," and that "93% of respondents are experiencing challenges - amongst a wide range of issues, the leading ones are restrictive budgets, a lack of understanding between IT Operations and IT Security, and legacy systems."
And it gets worse, Sumir told me. "A Forrester industry analyst who is tracking 150 or so security companies said that heâs hearing about five or ten new ones almost every week in the security space. And each one is talking of a bigger and worse threat than the rest that they can fix. I feel that there is an exaggeration by the security vendors because thereâs this feeling of free money in the space. It's like leaving your house with the doors and windows open but buying the best alarms and thinking youâll be secure. Youâre not. People can just walk in."
"It takes just one device that isnât fully updated to create a network entry point, putting the entire organization at risk," the research explains. "Yet, our data reveals how little visibility â let alone control â IT Operations has over corporate endpoints, especially the growing number of remote worker endpoints. This lack of visibility and control compromises efforts to properly patch and protect the environment."
Simple themes
These are the themes that come across throughout the research, throughout my discussion with Sumir: automated patching and upgrades, remote working, expanding numbers of endpoints, lack of basic IT housekeeping, and, above all, the tension and poor working relationships between IT operations and security teams. "Respondents identified a lack of clear security protocols (52%) and unpatched software (51%) as the principal causes of breaches, followed by lack of IT Security/ Operations collaboration (42%) and a lack of patch automation (40%)."
Sumir told me that "97% [of survey respondents] believe that better collaboration between IT security and IT operations is a good thing. Thatâs important because we donât see it in practice all the time. The basic view is that Security doesn't trust Ops, and Ops thinks Security will just say no to everything."
Microsoft MVP Jason Sandys, quoted in the report, says that itâs a behavioral issue. "Itâs political. Thereâs a lack of cohesion and a disparity in objectives. IT Security thinks itâs seen as the enemy; the blocker to productivity. IT Operations will push ahead with a project, but itâll be inhibited by the IT Security team, which naturally has to be cautious. It scuppers collaboration."
Changing times
And remote working makes all this almost impossible to fix. "Remote workers donât always have a strong affiliation to the company," Sandys is quoted as saying. "The natural attachment you get from being in an office isnât necessarily there. That's a big security concern because the average employee isnât focused on defending the network. Itâs even tougher to get on the remote workersâ agenda. Once the system is compromised, the data is compromised."
Sumir told me that "a lot of the security tools were designed for when people came into the office and werenât working from home, they were designed for machines inside the corporate perimeter, in a well managed and fast connected environment, when hours of work were known as well. None of that is true anymore."
And so, according to the research "less than a quarter [of organizations] believe that they are extremely prepared to react to a serious data breach."
People have different work patterns. They also have more devices. "The numbers of devices are going up, and that's such a big factor," Sumir explained. "The same problems we solved with PCs we now have to solve with IoT. Firmware has to be up to date and patched, devices have to have the right settings. Any IoT device is networked, it's a point of ingress into the corporate network, a point of entry into the organization, its security is your problem. If it's not secure then someone has direct access to your corporate network, which means your perimeter has been breached."
What about IoT?
Sumir told me that they had sought to rehearse how an IoT security program might work. "We wrote a product for IoT scale, tested it to 1.5 million endpoints. It was challenging. It took us the first year or two just to get the infrastructure right, to manage at that kind of scale. There are not many security tools that come close to that sort of number, given the amount of traffic that has to come up and down the network."
And with so many CIOs or CISOs being in post for two years or less, he said, that doesn't help. "With this longevity of CIOs and CISOs, you do have to wonder whether thereâs any correlation between this and the fact that businesses are suffering on a fairly regular basis. Are companies asking for it? Is it their fault? And there are some bigger issues here. The fact is that there are extremely well-equipped criminal organizations. But you canât defer this responsibility. Itâs your problem. But this report tells us that people donât even know what they have in terms of endpoints and software."
The report found that "the Dark Web has made it easier for attackers to monetize stolen data. As the value of data has increased, so has the funding and sophistication of the cyber- criminals seeking to exploit vulnerabilities in software to access it. Breaches are becoming more frequent and more damaging."
"The problem seems to be getting worse," Sumir told me, "and we have to deal with it because otherwise, the number of breaches will keep increasing. Going digital means more software which means more vulnerability, more attack surfaces. Remote working is a change that businesses havenât woken up to yet. And so IoT is a major future worry."
"Whatâs clear is that these issues cannot continue," the report says. "There is far too much on the line, particularly when more malicious, more well-funded, and more organized attacks are taking place."
Making improvements
The report concludes with advice and a ten-point action plan from Michael Daniel, former special assistant to President Obama and currently President and CEO of the Cyber Threat Alliance. "While you can never drive your cyber risk to zero," he says in the report, "if IT and cybersecurity operations work together, you can dramatically lower your risk profile."
Sumir told me it all comes down to "visibility, what you canât see you canât protect. And to dealing with trust, if youâre not working together you canât defend together. And timing. Responding fast. Most IT teams are still woefully slow," he said. "Days and weeks to respond, think about NotPetya infecting 40,000 to 50,000 endpoints in a few hours, taking up more and more resource. If you donât react in the first few seconds or minutes, you're always playing catch up."
And that means more money spent better. "When it comes to budget allocation," the report says, "the vast majority (90%) of respondents report that their business prioritizes other things over cybersecurity. The more pressing question is: how do we prioritize the resources that are allocated? Our respondents believe that an increase of investment is required most in these areas: the automation of software migration (80%), breach response and remediation (67%), and/or software patching (65%)."
The report makes for interesting reading. It's inevitably skewed towards endpoint security given its sponsors. But the themes around remote working and IoT vulnerabilities are clear for all to see, even if the idea that different IT organizations might put aside their politics and differences and work together might be less so.
">
"For all the focus and investment in cybersecurity, the majority of businesses in the U.S. and U.K. are still leaving their doors wide open to attacks. Attacks that can potentially stop business operations for a few hours, and at their worst, wipe billions from the value of a company overnight." So says a new cybersecurity survey conducted by endpoint management specialists 1E and technology market researchers Vanson Bourne, a survey that questioned 600 IT operations and IT security decision-makers across the U.S. and U.K., and found that 60% of the organizations had been breached in the last two years and 31% had been breached more than once.
Sumir Karayi, CEO of 1E, told me that the research showed "the vast majority of successful attacks today are using known vulnerabilities in well-known software that have been patched already by software vendors. So, most of the successful attacks can be stopped just by knowing what you have out there and making sure itâs patched. But for about one-third of the IT estates of these organizations, the CIO's team doesn't actually know what hardware is out there or what software is running on it. So how are you going to patch that? I donât know those machines exist, or the software running on those machines."
I asked him if that meant that his message to the CIO and CISO community was that if youâre breached or hacked, it's your own fault. He paused, and then said "yes."
Doors wide open and eyes closed shut
Think about WannaCry or NotPetya (the 2017 ransomware attacks on computers running Microsoft Windows), he explained. "The vulnerabilities were known and patched. So why werenât we using those? Why werenât they applied? The reality is that most organizations are not focused on that. What a lot of the security teams are doing is deferring that responsibility for patching, when it's really the best defense, closing your doors and windows. And the research tells us that it isnât working."
That research claims that "despite significant cybersecurity investment in many areas, there has been very limited improvement with the largest factor in organizational vulnerability: keeping endpoints properly patched and updated," and that "93% of respondents are experiencing challenges - amongst a wide range of issues, the leading ones are restrictive budgets, a lack of understanding between IT Operations and IT Security, and legacy systems."
And it gets worse, Sumir told me. "A Forrester industry analyst who is tracking 150 or so security companies said that heâs hearing about five or ten new ones almost every week in the security space. And each one is talking of a bigger and worse threat than the rest that they can fix. I feel that there is an exaggeration by the security vendors because thereâs this feeling of free money in the space. It's like leaving your house with the doors and windows open but buying the best alarms and thinking youâll be secure. Youâre not. People can just walk in."
"It takes just one device that isnât fully updated to create a network entry point, putting the entire organization at risk," the research explains. "Yet, our data reveals how little visibility â let alone control â IT Operations has over corporate endpoints, especially the growing number of remote worker endpoints. This lack of visibility and control compromises efforts to properly patch and protect the environment."
Simple themes
These are the themes that come across throughout the research, throughout my discussion with Sumir: automated patching and upgrades, remote working, expanding numbers of endpoints, lack of basic IT housekeeping, and, above all, the tension and poor working relationships between IT operations and security teams. "Respondents identified a lack of clear security protocols (52%) and unpatched software (51%) as the principal causes of breaches, followed by lack of IT Security/ Operations collaboration (42%) and a lack of patch automation (40%)."
Sumir told me that "97% [of survey respondents] believe that better collaboration between IT security and IT operations is a good thing. Thatâs important because we donât see it in practice all the time. The basic view is that Security doesn't trust Ops, and Ops thinks Security will just say no to everything."
Microsoft MVP Jason Sandys, quoted in the report, says that itâs a behavioral issue. "Itâs political. Thereâs a lack of cohesion and a disparity in objectives. IT Security thinks itâs seen as the enemy; the blocker to productivity. IT Operations will push ahead with a project, but itâll be inhibited by the IT Security team, which naturally has to be cautious. It scuppers collaboration."
Changing times
And remote working makes all this almost impossible to fix. "Remote workers donât always have a strong affiliation to the company," Sandys is quoted as saying. "The natural attachment you get from being in an office isnât necessarily there. That's a big security concern because the average employee isnât focused on defending the network. Itâs even tougher to get on the remote workersâ agenda. Once the system is compromised, the data is compromised."
Sumir told me that "a lot of the security tools were designed for when people came into the office and werenât working from home, they were designed for machines inside the corporate perimeter, in a well managed and fast connected environment, when hours of work were known as well. None of that is true anymore."
And so, according to the research "less than a quarter [of organizations] believe that they are extremely prepared to react to a serious data breach."
People have different work patterns. They also have more devices. "The numbers of devices are going up, and that's such a big factor," Sumir explained. "The same problems we solved with PCs we now have to solve with IoT. Firmware has to be up to date and patched, devices have to have the right settings. Any IoT device is networked, it's a point of ingress into the corporate network, a point of entry into the organization, its security is your problem. If it's not secure then someone has direct access to your corporate network, which means your perimeter has been breached."
What about IoT?
Sumir told me that they had sought to rehearse how an IoT security program might work. "We wrote a product for IoT scale, tested it to 1.5 million endpoints. It was challenging. It took us the first year or two just to get the infrastructure right, to manage at that kind of scale. There are not many security tools that come close to that sort of number, given the amount of traffic that has to come up and down the network."
And with so many CIOs or CISOs being in post for two years or less, he said, that doesn't help. "With this longevity of CIOs and CISOs, you do have to wonder whether thereâs any correlation between this and the fact that businesses are suffering on a fairly regular basis. Are companies asking for it? Is it their fault? And there are some bigger issues here. The fact is that there are extremely well-equipped criminal organizations. But you canât defer this responsibility. Itâs your problem. But this report tells us that people donât even know what they have in terms of endpoints and software."
The report found that "the Dark Web has made it easier for attackers to monetize stolen data. As the value of data has increased, so has the funding and sophistication of the cyber- criminals seeking to exploit vulnerabilities in software to access it. Breaches are becoming more frequent and more damaging."
"The problem seems to be getting worse," Sumir told me, "and we have to deal with it because otherwise, the number of breaches will keep increasing. Going digital means more software which means more vulnerability, more attack surfaces. Remote working is a change that businesses havenât woken up to yet. And so IoT is a major future worry."
"Whatâs clear is that these issues cannot continue," the report says. "There is far too much on the line, particularly when more malicious, more well-funded, and more organized attacks are taking place."
Making improvements
The report concludes with advice and a ten-point action plan from Michael Daniel, former special assistant to President Obama and currently President and CEO of the Cyber Threat Alliance. "While you can never drive your cyber risk to zero," he says in the report, "if IT and cybersecurity operations work together, you can dramatically lower your risk profile."
Sumir told me it all comes down to "visibility, what you canât see you canât protect. And to dealing with trust, if youâre not working together you canât defend together. And timing. Responding fast. Most IT teams are still woefully slow," he said. "Days and weeks to respond, think about NotPetya infecting 40,000 to 50,000 endpoints in a few hours, taking up more and more resource. If you donât react in the first few seconds or minutes, you're always playing catch up."
And that means more money spent better. "When it comes to budget allocation," the report says, "the vast majority (90%) of respondents report that their business prioritizes other things over cybersecurity. The more pressing question is: how do we prioritize the resources that are allocated? Our respondents believe that an increase of investment is required most in these areas: the automation of software migration (80%), breach response and remediation (67%), and/or software patching (65%)."
The report makes for interesting reading. It's inevitably skewed towards endpoint security given its sponsors. But the themes around remote working and IoT vulnerabilities are clear for all to see, even if the idea that different IT organizations might put aside their politics and differences and work together might be less so.
Gloss