Companies feel they are losing the cybersecurity battle, according to research released by Sophos this week. IT managers are inundated with cyberattacks from all directions and struggling to plug all the security gaps.
In the survey, titled The Impossible Puzzle of Cybersecurity, Sophos surveyed 3,100 IT managers across 12 countries about their cybersecurity experiences. The respondents, who worked for organizations with between 100 and 5,000 users, reported difficulties in protecting their infrastructures, leading to a large number of successful hacks.
According to the survey, two out of three organizations (68%) suffered a cyber attack in 2018 that they were unable to prevent from entering their network. Nine out of 10 (91%) said they were running up-to-date cybersecurity protection at the time.
Why are companies still getting hit even though they are taking tangible steps to reduce their cybersecurity risk? The report muses that there are some security holes not being plugged.
For example, an up-to-date malware signature list won’t stop attackers hijacking your accounts, while rock-solid authentication won’t help if you’re not protecting your computers from ransomware. Good cybersecurity demands defense in depth and proper risk assessment so that you can protect your weakest spots from attack first.
The survey also revealed that companies are facing attacks via multiple channels, including email (highlighted as a source of attacks by 33%) and web (30%) among others. Software vulnerabilities and unauthorised USB sticks or other external devices were also common attack vectors. Perhaps even more worrying is that 20% of IT managers didn’t know how their networks were compromised.
In many cases, companies aren’t just dealing with one type of attack.
According to Sophos’s report:
Respondents […] revealed that they had suffered a wide range of attacks over the last year.
Over half (53%) of the organizations hit suffered phishing emails; 35% reported malicious code; 35% pointed to software exploits; and 30% highlighted ransomware.
The third problem facing IT departments is a shortage of key skills – 26% of the IT team’s time is spent on cybersecurity issues, demonstrating the intensive effort involved in staving off attacks.
A large proportion of respondents (86%) said that they needed more skills to combat these threats. The problem is they can’t get them: 8 in 10 said that they struggled to recruit the right people.
Part of the problem is that they can’t muster the finances to pay what the market demands. Two-thirds of respondents said that their budgets for people and technology were too low.
The inability to fend off increasingly complex attacks worries companies because of its potential implications. Data loss was the number one concern for 31% of respondents, followed by cost and damage to the business, which were the biggest concerns for 21% of people.
To find out more about what IT managers think, read the full survey.
If you work in IT, tell about the pressures you face.
Anonymous
Start hiring entry level with your mid/senior levels.
Luke
Paying a high level person, and having them train in a team of entry level people is the best way to turn a company into a revolving door or a paid university. All you’ll do it equip people to earn way more than you’re going to be paying them and they’ll bleed off elsewhere. I think this is the big problem.
Anon
Sadly, a lot of the corporate world still hasn’t found this out. There is a lot of strong talent out there that is ambitious and passionate in the IT field, and will come up to speed very quickly and add great value to the company. Unfortunately, many corporations still skip over them and solely want a select few of “IT Professionals” with 8-10+ years of experience, or they will just down right outsource their IT and wonder why it isn’t operating well. Not all corps are this way, but I’ve seen this scenario one too many times.
Mahhn
Read the report. I agree with the staffing issue, as I am the only dedicated IT security person on staff, and when I am out of the office is the most risky times as nobody else has the time or skill sets to cover for me if the SHTF. But we are doing better than the average place apparently – no breach since I started. (or I might be out of a job). To us, the biggest issue would be loss of reputation if we got hit. Knock on wood and keep my fingers crossed, and work as smart as we can.
From your Report
1. Phishing emails 50% – This has my attention all day, black listing (email domains/ip ranges) and blocking web links. Our best advantage is our users are well trained, and get rewards for reporting phishing once and a while.
2. Software exploits 45% – All software in our environment gets pre evaluated (for risk it brings, such as touching sensitive data) and checked for updates regularly. But there is only so much we can do, breached vendors are a concern – particularly for cloud resources.
3. People (staff, contractors, visitors) 44% – I keep a bat on my desk to scare people , just kidding, we track everything and everyone knows it. File got deleted and needs restored, we coach the person who deleted it (even though they may not have realized it) and not just restore it.
4. Insecure wireless networking 36% – this is simple; NO simple wifi. MFA VPN only, yes even in the buildings.
5. Unknown devices 31% – All non-approved USB blocked by default, and logged as to system and account when any device is connected. Network equipment blocks new devices until explicitly trusted – even phones.
It took a few years to get to this point, and there is more to go. We have worked hard and been fortunate. Multiple products (overlap) filtering Email and web traffic also has been a big help. We also track trends of all info sec events, to prove product/process value.
Sorry, this was my longest comment to date.
Velan
I understand your role, as I am in similar role too. What you said is exactly same as I am going through. Constant patching practice is also a key element in preventing attacks. Always check your vendors, many times I get USB from them saying it is clean and already scanned, but get virus warnings when plugging them in. All non-approved USB is blocked. Any visitor / contractor / supplier are totally not allowed to enter the network , all files are sent via email or USB. Make sure IT and infosec policies are well defined and communicated to staff. I realise that IT workload can be reduced if certain services (email, file sharing, ERP) are outsourced to the cloud.
Moses LW Nash
Anonymous: Absolutely! In addition to that, senior management needs to STOP BEING CHEAP with Cybersecurity! In conjunction with your suggestion let there also be highly incentivized and leveraged on-the-job mentoring and apprentice programs that are fully funded and geared toward recruiting new prospects and entry- level conducted by the same mid/senior info security analysts.
Anonymous Too
Sophos PLEASE provide online & live training classes around the globe.
Paul Ducklin
Not exactly what you are looking for, but you might enjoy our “Serious Security” series of articles:
https://nakedsecurity.sophos.com/?s=Serious+Security
We’ve also got an interesting and informative (non-technical) playlist of videos:
https://m.youtube.com/playlist?list=PLKnm0NFN_gbn8OO_FECGsNxH1QkoWJ1O_
Our Naked Security YouTube playlist is very useful if you’re faced with convincing friends or colleagues to take cybersecurity seriously – if they won’t listen when you tell them, maybe they’ll be willing to take some urging from us :-)
Anonymous
If you are current on antivirus, OS updates, block USBs, use 2 factor, remove admin rights, have an awesome firewall and train on phishing, what more can you do? What skills could someone bring to the table that you already don’t have in place with your software?
Eric
Encryption, system hardening, Asset Management, network and endpoint visibility.
You need a fully staffed SOC or hire an MSSP or MDR service to truly effectively monitor and respond to your SIEM data, EDR data, and any other data and analytics tools you might have. There’s no one-size-fits-all solution, unfortunately. The convergence of IT and OT brings challenges beyond just network segmentation, at least for some businesses. It’s all about managing risk and doing what’s best for the business. There’s an endless list of tools and initiatives, but without knowing your risk, you can’t determine your critical gaps or the most effective means of preventing some sort of loss.
Anonymous
Backups, backups, backups. Did I say backups? And so much more including SIEM/SOC and DNS filtering.
setnaffa
There are so many other vulnerabilities you didn’t mention it would take an entire website…
Richard
And re-hire the over-50s you pushed out a few years back.
Surreal
I have a theory why over-50s aren’t getting hired, based on personal experience.
Based on my company’s need, I’d been transitioning from Systems Programmer to Security Guy for 5+ years when the CISSP cert was floated as an idea. Now, I have more knowledge and experience than a minivan full of recent graduates, but no initials after my name (OSCP, CISSP, etc. etc.)
It’s obvious to an H.R. hiring droid that I’m totally unqualified.
Don’t even get me started on CISSP, “a mile wide, and an inch deep”. Crikey.
Mahhn
I am in the same category, old, no (important) certs, 20+ years experience (Sr desktop for 15). I was given the opportunity at a new employer several years ago as InfoSec and proved my worth quickly. I studied for the CISSP and have next to no respect for it now. My experience runs circles around what they teach for Real World practicality. But if you have no experience, it can be a start (but half the book is acronyms and useless rainbow book crap). If I ever look for a new job I will need to rely on referrals/references. But at the same time if I move on, I don’t think I want to work with computers ever again lol
The right person to upgrade into InfoSec in my opinion is someone very creative, analytical and a learning on their own junkie! Book smart holds no water without experience, hence junior rolls are needed for people to get that. Cross training not only brings juniors up to Sr level, it also encourages team work, job satisfaction – which encourages people to stay at that employer.
Anonymous
Thats what happens when you ditched the experts and settled for the diversity hire crap.
Adam
I saw a cartoon once that went something like this:
Manager: But what if we train our Security staff and they leave??
Team Lead: What if we don’t and they stay?
It seems a lot of higher-ups think that they can simply hire their way out of the problem, but training is half the battle.
Anonymous
Couldn’t agree more…
Anton k
The Truth is , Most Companies or organisations and some government departments , Invest less capital in the IT field.
They look at IT/ cyber security as a customer services kinda of department (meant to make people happy).
Directors and CFO’s do little to evaluate what IT is worth for the growth and development of the company or organisation.
Dave
Agree with most here. IT Managers only want to hire experienced people but not train entry-level people. There are some very knowledgeable and bright people out there that just need time to become experienced. As for the “revolving door”, some states will allow a contract where as an employee agrees to work so many years or pay back the cost of education.
I have also noticed that IT Managers are under the impression that they can only hire someone from out of the Operations Center. There are some good software engineers/developers that have the know-how to excel as an analyst/auditor or other capacity other than a Network/Security Engineer.
Bruce
1. Educate users
2. All servers and computers be fully updated
3. Backup backup backup… paying ramsomeware hackers to gain control of your network just adds to the problem.
4. Have a fully updated warm site that can be activated when your main network goes down.
5. Don’t rely on the cloud… it too can fail
setnaffa
I know at least a dozen folks with cybersecurity training paid for by themselves, certifications to back up the training, experience in IT but not security, and no job.
I think part of the problem is with companies unwilling to look at people who are making the effort to be available…
Or it it fashionable to just whinge about shortages?
Companies with shortages should look on LinkedIn and/or contact the places like New Horizons, NPower, and LeaderQuest who are training the people they claim they need.
Epic_Null
Personally, I’d suggest working with headhunters like Indeed – people new to the field have no clue what fancy term set is used to represent the positions that reflect their training (college experience, but no work experience) , which makes finding the positions much more difficult.
Dave
Yup. I’m one of them. 15 years as a Senior Software Engineer. 15 years running my own little computer repair shop (gave me more time with my kids; all grown up now). CompTIA Security+, CySA+, and studying for PenTest+. Can’t land a job. I’m really thinking about brushing of the old C++/C# skills and getting back into Software Engineering, even as an entry-level.
Surreal
Lol. I’ve thought the same about alleged shortages.
I suspect an issue is the belief an Expensive Haxor must be ready, certified, and eager to act as the entire IT department – DBA, Server Admin, Network Admin, Code Auditor, B.S. or better in CompSci required, and on-call 24×7 (in a demanding environment).
I decided I’d retire from my long-time position, and explore a new area of Infosec. “There’s a huge shortage! My biggest problem will be deciding which offer to accept!” 7 months on, I haven’t had to file that retirement paperwork yet.
Mike
What’s worse than training your employees and have them leave? To not train them and have them stay. If the company and the culture is right people won’t leave.