In this monthly roundup of cybersecurity research, eSecurity Planet summarizes findings from 10 different reports — and the key lessons that enterprises can learn from them to protect themselves against current and emerging risks.
- Accenture: Securing the Digital Economy
- Agari: Q1 2019 Email Fraud and Identity Deception Report
- Deloitte: Global Risk Management Survey
- Javelin Research: The State of Strong Authentication Report
- 2019 Kenna Security: Patching Survey
- Ping Identity: The State of Enterprise IT Infrastructure & Security
- Positive Technologies: Cybersecurity Threatscape Report
- Syncsort : The State of IT Security for 2019
- Tripwire : Container Security
- Vera Security: The State of Enterprise Encryption and How to Improve It
Accenture released its Securing the Digital Economy: Reinventing the Internet for Trust report on Jan. 17. The big forecast in the report is that organizations globally could be on the hook for $5.2 trillion in lost revenue and costs due to cyberattacks over the next five years.
79 percent of organizations surveyed by Accenture noted that they believe that unless there is dramatic improvement in internet security, the advancement of the digital economy will be held back. That fear led 56 percent of Accenture’s survey respondents to note that they would accept stricter business regulations imposed by a central organization or governing body to improve cybersecurity.
“Internet security is lagging behind the sophistication of cybercriminals and is leading to an erosion of trust in the digital economy,” stated Omar Abbosh, head of Accenture’s Communications, Media & Technology operating group. “Strengthening internet security requires decisive — and, at times, unconventional — leadership by CEOs, not just CISOs.”
Key takeaway: The impact of data breaches is about more than just data loss, so take time to fully understand the potential impact to help mitigate risk.
Agari released its Q1 2019 Email Fraud and Identity Deception Report on Jan. 31, revealing an increasing volume of account takeover advanced email attacks.
Account Takeover (ATO) attacks occur when a hacker tries to steal the credentials of a user and use them for malicious purposes. According to Agari, ATO now account for 20 percent of advanced email attacks on organizations.
Agari’s report also provides insight into the current state of DMARC adoption across enterprises. Domain-based Message Authentication, Reporting and Conformance (DMARC) is a set of protocols designed to help improve email authentication. Across Fortune 500 companies, Agari reported that DMARC adoption is now at 54 percent.
“Credential phishing was already a huge risk for organizations because of the potential for data breach, but now there is a new wave of account takeover attacks leveraging compromised accounts to commit additional fraud, which evade traditional email security controls,” said Crane Hassold, Senior Director of Threat Research at Agari.
Key takeaway: Strongly consider using DMARC to help improve email security and limit the risk of email fraud.
On Jan. 23, Deloitte released the 11th edition of its Global Risk Management Survey, finding that financial services organizations are increasingly reviewing their risk profile.
Among the high level findings in the Deloitte report is that 67 percent of financial services organizations identified cybersecurity as one of the top three risks that would increase the most in importance over the next two years. Though financial services firms are aware of cybersecurity risk, Deloitte found that only approximately half of the surveyed organizations reported that their institutions were extremely or very effective in managing this risk.
Financial services organization are not sitting idly by either, with 48 percent reporting that their firms have plans to improve their risk infrastructure with the use of advanced technologies such as robotic process automation (RPA), cognitive analytics, and cloud computing.
“Digital technologies have the potential to fundamentally re-engineer virtually every aspect of risk management,” said Edward Hida, a partner with Deloitte Risk and Financial Advisory at Deloitte US and the author of the report. “Financial institutions are now at the early stages of this transformation of their risk management functions.”
Key takeaway: Don’t just take the time to understand what cybersecurity risks might face your organization, take the necessary steps to also implement security controls to manage that risk.
Javelin Research’s State of Strong Authentication 2019 report released on Jan. 22 found that use of strong authentication and multi-factor authentication by enterprises has grown. Javelin defines traditional multi-factor authentication as SMS and one-time based passcode approaches, while strong authentication makes use of a cryptographic handshake.
41 percent of enterprises reported that they were using traditional multi-factor authentication in 2018, up from 37 percent in 2017. Use of strong authentication by enterprises hit 12 percent in 2018, up from only 7 percent in 2017.
“The increase in strong authentication adoption makes sense given that while data breaches, phishing threats and regulatory pressures have risen, the financial and user experience costs associated with implementing strong authentication have decreased,” said Al Pascual, senior vice president and research director, Javelin Strategy & Research. “What’s less encouraging is that we are finding that the holdouts believe passwords alone are sufficient security.”
Key takeaway: Passwords alone are not sufficient to secure identity and there is a real need for strong authentication to help protect organizations and their users.
On Jan. 22, Kenna Security released a report on the state of vulnerability patching titled Prioritization to Prediction: Getting Real About Remediation. Among the positive high-level findings in the report is that organizations have closed 70 percent of critical vulnerabilities that are present in their systems. The bad news is that still leaves 30 percent of vulnerabilities unpatched.
The time it takes organizations to patch vulnerabilities is also a concern, with only approximately one-third of vulnerabilities patched within 30 days. Not all vulnerabilities that are publicly disclosed are critical and need to be immediately patched by organizations. The Kenna Security report found that only five percent of vulnerabilities that have a CVE (Common Vulnerabilities and Exposures) identifier have known exploits against them.
“We’ve found that remediating the riskiest vulnerabilities is within reach for many organizations,” Ed Bellis, CTO at Kenna Security, wrote in a media advisory. “Most vulnerabilities pose little to no danger of being exploited. That means companies can prioritize their resources to tackle the five percent of threats that pose the greatest risk.”
Key takeaway: Prioritize vulnerabilities that need to be patched based on severity and impact to the organization.
Note: eSecurity Planet publishes a monthly listing of new vulnerabilities.
On Jan. 23, Ping Identity released its State of Enterprise IT Infrastructure and Security survey, revealing that security concerns are holding back adoption of cloud services. 43 percent of survey respondents indicated that security was the biggest barrier to cloud adoption, while 37 percent indicated that security was a barrier to Software-as-a-Service (SaaS) adoption.
Somewhat ironically, organizations are aware of technologies that they can use to improve cloud security, yet they aren’t deploying it. The study found that 90 percent of respondents viewed multi-factor authentication as an effective security control to help protect public cloud usage. That said, only 60 percent of organizations reported that they actually use multi-factor authentication for the cloud.
“With security as the biggest barrier to cloud and SaaS adoption, it’s no wonder we’re seeing enterprises prioritize their security investment—especially following a year that was defined by data breaches,” said Richard Bird, chief customer information officer at Ping Identity.
Key takeaway: Make sure to use the full breadth of identity and access management (IAM) controls to help secure cloud deployments.
Positive Technologies released its Cybersecurity Threatscape Q3 2018 report on Jan. 22, which found a rise in the volume of social engineering attacks.
According to the report, social engineering attacks made up 37 percent of total attacks in Q3, compared to 25 percent in the second quarter. Malware is still a big problem, being a factor in 56 percent of cybersecurity incidents.
One cybersecurity attack vector that is on the decline is unauthorized cryptocurrency mining, which was only was involved in 8 percent of cybersecurity incidents in the third quarter, down from a high of 23 percent in the first quarter of 2018.
“Cluelessness about security is one of the biggest contributors to data theft,” said Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies. “Users voluntarily provide information to online services in exchange for small rewards, or put information on social networks for the world to see.”
Key takeaway: Protect personal information that could be of use to a hacker and don’t mindlessly post data that could aid in an attack.
Syncsort released its State of IT Security for 2019 survey results on Jan. 10, finding a disconnect between confidence in IT security programs and data breaches.
41 percent of respondents to the Syncsort survey reported that their organizations have experienced data breaches. 50 percent of breaches were identified in less than a day, while 26 percent were identified in less than a week. The study found that in the aftermath of a data breach, the most common activity was to increase IT staff training.
“The good news is most organizations are auditing their security systems,” said Terry Plath, Senior Vice President, Support and Services at Syncsort. “The bad news is more than two-thirds of audits are done by in-house staff – meaning they’re more likely to be biased – and only once per year.”
Key takeaway: While doing in-house security audits is helpful, there is also a benefit to engaging third parties to get a different view on cybersecurity that could help minimize risks.
On Jan.7, Tripwire released a study along with Dimensional Research looking at container technology security concerns. The survey found that 60 percent of organizations had some form of container security incident in the last year.
Even more surprising was the fact that organizations were in some cases knowingly deploying containers with vulnerabilities. 47 percent of the Tripwire study’s respondents admitted their organizations deployed containers known to have vulnerabilities. Worse yet, 46 percent or respondents noted that they deployed containers without knowing whether vulnerabilities were present or not.
“With the increased growth and adoption of containers, organizations are feeling the pressure to speed their deployment,” said Tim Erlin, vice president of product management and strategy at Tripwire. “To keep up with the demand, teams are accepting risks by not securing containers.”
Key takeaway: Don’t deploy container workloads without first considering security and having a plan in place to monitor and manage the security considerations.
On Jan. 15, Vera released its State of Enterprise Encryption and How to Improve It report, providing insight into how organizations are using data encryption technology.
The report found that usage of encryption and data protection technology isn’t as high as it should be. Vera found that only 35 percent of the survey’s respondents built encryption into all their security processes and procedures. Additionally, the study found that only 26 percent of respondents make use of Digital Rights Management (DRM) technology.
As it turns out, the reason why organizations deploy encryption isn’t necessarily for users’ data protection. Rather, 61 percent of respondents noted that in their view, compliance drives the need for encryption.
“In the current post-cloud, collaborative environment, organizations must secure and protect data throughout its entire lifecycle,” said Vera CEO Carlos Delatorre. “Always-on file security enables them to do that seamlessly, effectively while remaining compliant with regulations.”
Key takeaway: Encryption of data is a good best practice for sensitive information and shouldn’t be driven by compliance requirements alone.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.