Vulnerabilities / Threats

12/13/2018
05:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Despite Breaches, Many Organizations Struggle to Quantify Cyber-Risks to Business

Enterprises are struggling with familiar old security challenges as a result, new survey shows.

Many organizations are still struggling to adopt a more risk-focused approach to cybersecurity, although the need for it has been recognized for years.

Some familiar issues have been holding them back, including infrastructure complexity, third-party risks, understaffing, resource shortages, and — most significantly — not measuring cyber-risks and their impact on business.

Security vendor Tenable recently commissioned the Ponemon Institute to evaluate how enterprises are measuring and managing cyber-risk.

The poll of 2,410 IT and security practitioners in the US and other countries showed that a depressingly large number of organizations are continuing to experience business-disrupting cyber incidents — some of them multiple times over a relatively short time. Ninety-one percent of the companies surveyed reported experiencing a damaging cyberattack over the past two years; 60% had two or more.

Thirty-one percent experienced a data breach involving 10,000 or more customer or employee records in the last two years. A substantially larger 52% — more than half of all organizations surveyed — expect they'll experience a breach of this magnitude in 2019.

"At a time when business-disrupting cyber events are impacting almost all organizations, CISOs are unable to confidently quantify cyber-risk's impact to business operations," says Bob Huber, CISO of Tenable. "This is leaving the C-suite and boards of directors without actionable insight to make decisions" to alleviate business risk.

The Tenable survey showed that, with a couple of exceptions, the threats that organizations are most worried about are the same as they have been for the past several years. The top concerns this year were malware, with 48% saying they had experienced at least one malware attack in the past two years; third-party risks (41%); and leakage of emails and other business confidential information (34%).

Worries over some threats, however, appear to be spiking. Sixty-four percent — nearly two-thirds — ranked third-party risks as their top concern for 2019. The number is significantly larger than the 41% that actually reported a security incident involving a third party over the past two years.

Similar spikes were apparent in other areas as well. For example, 56% identified an attack on Internet of Things or operational technology (OT) assets as their biggest cybersecurity concern for 2019, though just 23% reported experiencing an actual attack of this type in the past 24 months. Economic espionage and attacks that disrupt OT infrastructure are also top-of-mind concerns for 2019.

Significantly, for all the hype around nation-state attacks, fewer organizations (13%) expect to experience one in 2019 than the 15% who said they already had become victims of one in the past two years.

The reasons for the overall pessimism appear tied to long-standing factors. Though organizations represented in the survey had 19 employees, on average, involved in vulnerability management, 58% still felt they did not have adequate staffing to scan for vulnerabilities — including publicly disclosed ones — in a timely fashion. Somewhat unsurprisingly, a nearly identical proportion (59%) said they had no set schedule for vulnerability scanning or did not scan at all.

The Tenable/Ponemon survey showed that a substantially high percentage of organizations are struggling to keep pace with the stealth and sophistication of attackers, reduce complexity in their IT security infrastructure, improve third-party controls, and control access to sensitive data.

While such factors have heightened the need for more risk-focused approaches to cybersecurity, Tenable's survey showed that many organizations are still only just getting there.

Risk Measurement & Management: Work in Progress
"While some organizations are making strides in improving their security maturity and mapping cybersecurity strategies to the business, there is still room for improvement," Huber says.

For example, despite the enormous financial implications of data breaches and other security incidents, many organizations still have a poor understanding of the business costs of cyber-risks.

Less than half of the organizations represented in the survey — some 1,110 — claimed they measured and therefore understood the business impact of cyber-risks. Of that, only 41% were required to report that analysis to their board and business leaders. More than six in 10 did not believe their measures were very accurate.

In general, more respondents claimed to understand the importance of certain key performance indicators in understanding risk than are actually using them. For example, 70% and 64%, respectively, considered metrics about the time to remediate risk and the time to assess cyber-risk as important key performance indicators (KPIs). However, 46% and 49%, respectively, are using them.

The same gap was evident in the use of KPIs to measure the business impact of a cyber incident. Sixty-eight percent believed it was important to have a way to measure loss of revenue resulting from a cyber incident, but only 56% actually are using KPIs to do that. Seventy percent said KPIs for measuring loss of productivity were critical even though only 48% are actually using them.

Exacerbating the situation is the fact that the KPIs that organizations are using are designed for on-premises infrastructure and therefore are inadequate for current environments that include a mix of traditional IT, cloud, IoT, containers, and OT, Huber says.

Most KPIs are too technology focused and don't fully take into account the financial and business implications, Huber says. Often, the metrics are tactical rather than strategic in nature and are not very effective at helping organizations mitigate risk, he says.

"Put another way, current cyber KPIs don't consider business outcomes and fall far short of reflecting digital business and digital transformation," Huber notes. "The most common KPIs for cyber-risk and business risk don't correlate right now, and that's a gap."

While CISOs and other security leaders are typically responsible for deploying patches and managing vulnerabilities, they have relatively less influence in determining investments and strategies for vulnerability management. CISOs are most involved in evaluating cyber-risk at only 17% of the organizations represented in the survey — compared with CIOs at 36%.

"In the digital era, cyber-risk is now business risk, and that means CISOs must be able to measure their exposure and map it back to business outcomes," Huber says.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10014
PUBLISHED: 2019-03-24
In DedeCMS 5.7SP2, member/resetpassword.php allows remote authenticated users to reset the passwords of arbitrary users via a modified id parameter, because the key parameter is not properly validated.
CVE-2019-10015
PUBLISHED: 2019-03-24
baigoStudio baigoSSO v3.0.1 allows remote attackers to execute arbitrary PHP code via the first form field of a configuration screen, because this code is written to the BG_SITE_NAME field in the opt_base.inc.php file.
CVE-2019-10017
PUBLISHED: 2019-03-24
CMS Made Simple 2.2.10 has XSS via the advanced_search.php Name field, which is reachable via an "Add a new Profile" action to the File Picker.
CVE-2019-10010
PUBLISHED: 2019-03-24
Cross-site scripting (XSS) vulnerability in the PHP League CommonMark library before 0.18.3 allows remote attackers to insert unsafe links into HTML by using double-encoded HTML entities that are not properly escaped during rendering, a different vulnerability than CVE-2018-20583.
CVE-2019-9978
PUBLISHED: 2019-03-24
The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.