How to assess your cyber security risk & make improvements

A new report published recently in InformationWeek looks at how enterprises are attacking the issue of cyber security.

The report, compiled by Dark Reading and sponsored by ServiceNow, details the top cyber security risks, and the measures currently being used by enterprises to fight these risks, as well as those advised by security experts.

‘How enterprises are attacking the cyber security problem’ compiles data from a detailed survey of 150 IT and security practitioners including CIOs, CTOs, CISOs, and other IT and security practitioners representing companies from the banking, healthcare, government, manufacturing, agriculture, media industries, and more.

Assessing your cyber security risk

Organisations report higher incidences and expectations of security attacks, with rising attack volumes and threat sophistication emerging as the major concerns. The increased complexity of attacks (cited as the top concern by 38% of respondents) and rising concerns over the ability of security leaders to enforce policies across the organisation are adding pressure.

But what are the main threats in terms of actual attack volumes? When asked about security breaches over the past year, half the organisations reported experiencing malware (52%) and phishing (50%) attacks.

Which types of security breaches have occurred in your organisation in the past year?

• Malware (52%)
• Phishing (50%)
• A targeted attack aimed specifically at my organisation (19%)
• Ransomware (14%)
• Data theft (12%)
• Theft of computers or storage devices (12%)
• Database/content/data management system compromise (11%)
• Denial of service (11%)
• Compromise of internally developed applications (10%)
• Attackers gained access through partner systems (9%)
• Network compromise (9%)
• Operating system compromise (9%)
• Compromise of off-the-shelf applications (8%)
• Website vandalised or site content manipulated (7%)
• Mobile device or application compromise (6%)
• Hardware compromise (5%)
• Physical break-in (%5)
• Compromise by state-sponsored attacker (2%)

What security technologies are enterprises using?

Staying on top of what the report calls “the mushrooming security technology stack” is a significant and growing challenge for organisations. With so many technologies to keep pace with, they require more resources and expertise to manage.

The survey showed that in 2019 most organisations employ basic foundational tools such as email security, spam filtering and firewalls. Around half of these have formal patch management controls and tools for enforcing wireless policies.

Which of these security products are currently in use in your organisation?

• Email security and spam filtering (84%)
• Antivirus and anti-malware (82%)
• Data encryption (75%)
• Endpoint protection (72%)
• VPN Traditional firewalls (69%)
• Patch management (55%)
• Next-generation firewalls (52%)
• Intrusion prevention or intrusion detection (51%)
• Data loss prevention (49%)
• Identity management (45%)
• Application and vulnerability scanning tools (43%)
• Vulnerability assessment or penetration testing (43%)
• Wireless security enforcement (42%)
• Log analysis, security event management, or security information management (40%)
• Endpoint detection and response (EDR) (33%)
• Network anomaly detection tools (29%)
• Third-party penetration testing services (29%)
• Web application firewalls (29%)
• Sandboxing tools (26%)
• Managed security services (24%)
• Behavioural “zero-day” detection tools (23%)
• Threat intelligence services (22%)
• Network access control (NAC) (21%)

Should I focus on security hygiene or breach prevention?

The widespread adoption of breach prevention technologies shows that organisations are mainly focused on stopping attacks at the network perimeter.

However, as the report highlights, the majority of breaches actually occur because of a “lack of basic security hygiene” (around 80%, according to observations made by John Pescatore, director of emerging security trends at the SANS Institute).

Instead, organisations are advised to adopt an “assume breach” strategy. “Practices such as accurate inventory management, asset visibility, rapid patching, shielding, and segmenting against vulnerabilities that can’t be fixed quickly” should remain a priority, according to Pescatore.

Ensuring your users have a good understanding of basic IT security best practices can also reduce your organisation’s cyber security risk. Reassuringly, the report found that 72% of organisations now provide end-user security awareness training as a standard security practice.

CIS advice on essential security controls & practices

The Center for Internet Security (CIS) has identified 20 essential security controls and practices, many of which were listed as being used by respondents to the Dark Reading survey.

According to the SANS Institute, the CIS controls are effective “because they are derived from the most common attack patterns highlighted in the leading threat reports and vetted across a very board community of government and industry practitioners.”

Included within this list of foundational controls are “email and web-browser protections, malware defences, data leak prevention, and wireless access control tools”, as well as “controls for limiting access to network ports, protocols, and services; controls for limiting access to Internet-facing systems; and least-privileged access controls.”

As well as these “foundational controls”, the CIS also identifies what it calls “5 CIS basic controls” and “4 CIS organisational controls”.

The basic CIS controls include continuous vulnerability management; controls for monitoring, tracking, and preventing misuse of administrative privileges; and controls for maintaining and managing log data. The organisational controls include penetration testing / red-team exercises and application software security programs.

Top 3 most valuable security products and practices

In the survey, respondents were also asked what they rated as their most valuable security products and security practices.

3 most valuable security products:

• Data encryption (38%)
• Email security and spam filtering (36%)
• Next-gen firewalls (30%) / Antivirus/ Anti-malware tools (27%)

3 most valuable security practices:

• End-user training and awareness programs (52%)
• Multifactor authentication (47%)
• Strong passwords (32%)

Security for cloud migration and digital transformation

Emerging threats, particularly those related to cloud migration, accelerated software development cycles, and enterprise mobility are causing headaches for a lot of organisations.

Survey respondents were concerned about rising attack volumes and the increased sophistication of threats, with more than two-thirds (67%) saying this has increased their vulnerability to a data breach.

It is estimated that public cloud revenue will grow 17% in 2020 (Gartner) as CIOs embrace the cloud globally. While Software as-a-Service (SaaS) will remain the biggest category, but enterprises will increasingly move business-critical workloads to Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) environments as well, according to Gartner.

Analyst firm Enterprise Strategy Group (ESG) predicts that in the next few years, large organisations will transition from security approaches based on disconnected point products and manual process towards relying instead on “infrastructure made up of tightly integrated security platforms with cloud-based management and distributed enforcement of security policies”, with automation and integration at their core.

Strong authentication and persistent data encryption are vital basics for accessing any assets in the cloud, and organisations should ideally make sure these same controls apply to all users. “Almost all cloud storage services have encryption and key management capabilities,” Pescatore says. “Start using them, then look for solutions later that will work across multiple cloud services.”

virtualDCS employs these measures across all our systems and for all our users. Security is a key area where we’ve always made sure we stay ahead of the curve and go well beyond the basics to provide or facilitate the highest level of security possible for our clients and partners.

How your cloud provider can help you with cyber security

An appetite among respondents for cloud security technologies came through strongly in the survey, with many now working with their cloud security provider to deliver this. For example, 45% of organisations are using their cloud provider to encrypt all data stored in the cloud and 43% are using it to continuously monitor and reports on anomalies.

Which security capabilities does your cloud services provider currently deliver to your organisation?

• Encryption for all data stored in the cloud (45%)
• Continuous monitoring/reporting of security anomalies or suspected compromises related to your data (43%)
• On-demand reporting of security status (37%)
• Immediate alerts of suspected compromises of your organisation’s data (27%)
• High-security services or containers for critical data (24%)
• Security guarantees and/or service level agreements that specify security effectiveness (22%)
• The ability to isolate and quarantine applications or data segments that might be compromised (22%)
• Regular security assessments of the data stored by the provider (22%)
• Incident response services in the event of a suspected breach of your organisation’s data (20%)
• Accountability and recompense for breaches that occur at the service provider’s level (10%)

Increased expenditure on security tools and services that are embedded in cloud services is predicted by the SANS Institute’s Pescatore.

Organisations with on-premise data centres that have been virtualised will also “invest more in security capabilities embedded in VMware and other third-party products”, he says, with “emerging technologies for detecting and responding to threats on enterprise endpoints, networks, and mobile devices” as additional areas of investment.

So how does your organisation match up?

Hopefully, the summary we’ve provided here has given you a broad enough overview to better understand current cyber security threats and to benchmark your organisation against other enterprises for risk mitigation technologies and practices.

If you want to discuss any of this in more detail and gain a better understanding of cyber security improvements that your organisation specifically could make, you can contact us online or give us a call on 03453 888 327.