IT managers are flying blind in the battle to protect their companies from cyberattacks, according to a survey released today. The result is that getting pwned is now the rule, rather than the exception.
Sophos, which publishes this blog, worked with market research company Vanson Bourne to survey 3,100 IT managers across the globe. The survey covered companies in 12 countries, and quizzed organizations with as few as 100 users and as many as 5,000, finding that 68% of companies had been hit by a cyberattack in the last year.
The reason surfaced quickly enough; companies can’t see what’s happening on their endpoint devices. It leaves them struggling to prevent attacks or even to know how and when they happened.
Most threats (37%) are only discovered when they reach servers, and another 37% are detected on the network. Attacks typically start on endpoint devices, so if companies are only picking them up on the server, that means attackers have already been snooping around their infrastructure for some time. Unfortunately, 17% of IT managers didn’t know exactly how long. Those who did know said that attackers had been on their networks for 13 hours before being detected. That’s plenty of time to steal a juicy batch of data or to plant some nasty ransomware.
Not seeing the beginning of the attack chain also makes it difficult for IT managers to understand how the attack unfolded. One in five IT managers didn’t know how an attacker got in, even after discovering the threat.
This means many companies are making security decisions without having all of the facts, the report said. You can’t plug holes if you don’t know where they are.
This inability to shine a light on attackers leaves IT managers shooting in the dark. Organizations that investigate at least one potential security incident each month spend 48 days every year investigating them. Only 15% of these incidents turn out to be malware infections, meaning that IT employees are spending around 41 days each year investigating non-issues.
Why are people running around in headless chicken mode? One of the biggest challenges in prioritising cybersecurity incidents is a lack of security expertise: 80% of respondents admitted that they need a stronger team in place to detect, investigate, and respond to cybersecurity incidents.
Sophos concluded that securing the endpoint is a good place to start. Survey respondents seemed to agree with it. Endpoint Detection and Response (EDR) is a popular tool for those who realise that they are missing important cybersecurity events – 57% of IT managers are planning to use it, with 39% scheduling its introduction in the next six months.
Just installing the EDR software isn’t enough, though, the survey found, as 54% of respondents who had invested in this cybersecurity tool couldn’t get the full benefit from it. The report suggests that management and skills play a part here. Having managers who understand how to drive these tools is crucial.
However you choose to protect yourself, though, one important message comes through: cyberattacks, while not inevitable, are highly probable. And unless you’ve got a beady eye on your infrastructure, you might well only find out about a compromise when you see your internal emails showing up on Pastebin.