Many IT managers and IT consultants are struggling to keep pace with the rate of cyberattacks on businesses. Research suggests that in 2018, two-thirds of organisations were hit by a cyberattack. The Sophos report lists the primary reasons why organisations are struggling to reduce their risk as:
- a lack of technology, talent and time
- multidirectional attacks
- multi-stage, coordinated and blended attacks
The Sophos commissioned a survey of 3,100 IT managers across 12 countries between December 2018 and January this year, ‘The Impossible Puzzle of Cybersecurity’, said that the struggle between IT/Security professionals and cybercriminals continues unabated. As advancements in cybersecurity protection technologies are made, so too are the capabilities of threat actors.
Cybersecurity attack rates
- Of those surveyed, 68{21dc2fe1b43c4cf57a2e25a56b286f09fbb32a45ddf34dcf04be366972dd7b06} said that their organisations were hit by a cybersecurity attack last year.
- Of those affected organisations, the average number of attacks for the year was 2. While 10{21dc2fe1b43c4cf57a2e25a56b286f09fbb32a45ddf34dcf04be366972dd7b06} of organisations had been hit by 4 or more attacks.
- Nine in 10 respondents whose organisations had been hit said that they had up-to-date attack protection measures in place at the time of the attack.
The risk of a breach can never be completely eliminated. IT managers and consultants need to remain vigilant and operate at the highest level of assumed risk at all times.
IT managers ranked the consequences of cybersecurity breaches in order of importance as:
- Data loss. ⅓ of respondents said this was their top concern – and more than 2/3 had it in their top 3. Businesses need to ensure they are investing in backup, recovery, and data loss protection (DLP).
- Cost. 21{21dc2fe1b43c4cf57a2e25a56b286f09fbb32a45ddf34dcf04be366972dd7b06} of respondents said that the cost of response as the biggest concern arising from cybersecurity attacks. Research has found that for small to medium-size businesses, the average cost of a security breach increased by 61{21dc2fe1b43c4cf57a2e25a56b286f09fbb32a45ddf34dcf04be366972dd7b06} from US$229k in 2018 to US$369k this year.
- Business damage. 21{21dc2fe1b43c4cf57a2e25a56b286f09fbb32a45ddf34dcf04be366972dd7b06} of respondents rated this as their top concern, while 56{21dc2fe1b43c4cf57a2e25a56b286f09fbb32a45ddf34dcf04be366972dd7b06} listed it as a top 3 concern. PricewaterhouseCoopers found that 85{21dc2fe1b43c4cf57a2e25a56b286f09fbb32a45ddf34dcf04be366972dd7b06} of consumers will not do business with a company if they are worried about its security practices. The reputational effects of a significant cybersecurity attack can be at least as costly as the initial response costs.
Multiple directional attacks
- 33{21dc2fe1b43c4cf57a2e25a56b286f09fbb32a45ddf34dcf04be366972dd7b06} of attacks were via email, making it the most common attack vector
- The Internet is used in 30{21dc2fe1b43c4cf57a2e25a56b286f09fbb32a45ddf34dcf04be366972dd7b06} of attacks
- 23{21dc2fe1b43c4cf57a2e25a56b286f09fbb32a45ddf34dcf04be366972dd7b06} of attacks used software vulnerabilities as the means of entry
- 14{21dc2fe1b43c4cf57a2e25a56b286f09fbb32a45ddf34dcf04be366972dd7b06} were launched via external devices, such as USB stick
In 20{21dc2fe1b43c4cf57a2e25a56b286f09fbb32a45ddf34dcf04be366972dd7b06} of cases, respondents were unable to identify the attack vector. This points to ineffective incident response capabilities, which is likely the result of a lack of resources,
Regional variations also affect threat vectors. In Mexico, USB sticks and external devices tend to be the main source of an attack, while in India it is software, the report said.
Responding to risk
As there is no overwhelming single approach to attack, it makes sense that security efforts take a multi-pronged approach too:
- Patch updates. Ensure that you reduce risk from software vulnerabilities.
- Spam filters. Page blockers and policies warning against clicking on links/attachments from unknown sources reduce the likelihood of email/web-based attacks.
- Physical port restrictions at endpoint level help deal with the risk of attacks being introduced via USB drives & devices.
- User Education. The employees who are using the computers need to be educated on how they can make positive contributions to the security of the business, such as updating apps, not opening links and running malware updates on a regular basis.
The nature of attacks
Attacks were found to include the following elements:
- 53{21dc2fe1b43c4cf57a2e25a56b286f09fbb32a45ddf34dcf04be366972dd7b06} Phishing email
- 41{21dc2fe1b43c4cf57a2e25a56b286f09fbb32a45ddf34dcf04be366972dd7b06} Data breach
- 35{21dc2fe1b43c4cf57a2e25a56b286f09fbb32a45ddf34dcf04be366972dd7b06} Malicious code
- 35{21dc2fe1b43c4cf57a2e25a56b286f09fbb32a45ddf34dcf04be366972dd7b06} Software exploit
- 30{21dc2fe1b43c4cf57a2e25a56b286f09fbb32a45ddf34dcf04be366972dd7b06} Ransomware
- 21{21dc2fe1b43c4cf57a2e25a56b286f09fbb32a45ddf34dcf04be366972dd7b06} Credential theft
According to these figures, most organisations are experiencing multi-faceted attacks. Users are being successfully targeted with phishing messages, triggering the launch of malicious code leading to unlawful systems access violation, giving rise to a data breach.
This is occurring because, on average, IT departments devote only 26{21dc2fe1b43c4cf57a2e25a56b286f09fbb32a45ddf34dcf04be366972dd7b06} of their time to managing cybersecurity. And many IT managers are honest about the fact that they require higher-level skills to deal with cybersecurity issues. Such people are specialists, and most organisations either cannot afford or do not have access to such talent.
To help mitigate cybersecurity threats, IT managers can enhance security information and event management (SIEM) capabilities and increased automation of patch management, backups and reporting.
However, educating your whole team about how to help prevent attacks, how to manage their devices and understand how attacks can occur is one of the most effective measures against cyberattacks. The more that people understand the risks and costs, and how simple it can be to assist to prevent attacks, the more likely they are to be vigilant and protect your business online.
Welcome to Our Blog
We want to share our expert knowledge with you, and that is why we want you to know that all of our blogs are written by our in-house writing team.
Our writers do the research, discuss the topics and form their own opinions. They do not write for a commission from any sites, products or services mentioned, and we do not publish advertorials or paid reviews.
We enjoy writing for you and will continue to be transparent about our blogs, which are only opinion pieces.
