Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

// // //
08:15 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

Many Enterprises Still Blind to Security Risk, Study Finds

Even as organizations continue to get hit with cyber attacks, they're struggling to accurately measure the costs of such events to their operations, a report by Tenable and the Ponemon Institute found.

A majority of companies around the world have sustained at least two cyber attacks that have disrupted their operations over the last two years, but many organizations are still unclear about the costs to their businesses of such attacks.

Specifically, 60% of organizations over the past 24 months have endured cyber attacks that have either exposed sensitive data, caused disruption or temporarily shut down their business operations or equipment, while 91% had been the victim of at least one such attack, according to a recent study released by cybersecurity vendor Tenable.

However, the study, "Measuring and Managing Cyber Risks to Business Operations Report," conducted by Ponemon Institute, also found that 54% of organizations aren't measuring the business costs of such cyber attacks, which means they have no way of accurately measuring their risk or making risk-based decisions based on quantifiable data. This presents a significant problem for businesses, given the complexities of their increasingly connected IT environments due to such trends as the Internet of Things (IoT), the cloud, greater mobility and DevOps, according to Tenable officials. (See Five IoT Endpoint Security Recommendations for the Enterprise.)

(Source: iStock)
(Source: iStock)

"The lack of cybersecurity maturity present in many enterprises creates real-world problems," Gavin Millard, vice president of intelligence at Tenable, told Security Now in an email. "One of the more critical issues is a lack of actionable insight into an organization's true level of exposure. Other potential consequences include downtime of critical systems, customer turnover, loss of market share and financial loss. In today's digital era, cyber risk is business risk. This means that organizations must not only understand where they are exposed and to what extent, but they must also have the resources, processes and technology in place to actively reduce their risk."

Digital transformation changes the game
The report -- in which 2,410 IT and information security officials in six countries were surveyed -- found the ongoing digital transformation at organizations has created a large attack surface while making it difficult for companies to fully understand their risk exposure.

Only 29% of respondents reported that they had sufficient visibility into their attack surface -- which includes traditional IT environments as well as the cloud, containers, IoT and operational technology -- to reduce their chances of being impacted by a cyber attack, while 58% told researchers that they don't have enough security staffing to scan for vulnerabilities as well as they need to.

Of those surveyed, 35% report that they only scan when it's needed to protect sensitive data.

Even those organizations that do measure the risks to their businesses posed by cyber attacks are unsure about what they're doing. The survey found that 62% of them aren't confident in the accuracy of the metrics they're using, so many of them are making business decisions without such information as the cost from IP thefts or the loss of revenue or productivity.

(Source: Tenable)
(Source: Tenable)

"Digital transformation is putting immense pressure on security teams as they work to keep their dynamic IT environments secure," Millard added. "At the same time, they're saddled with security tools and approaches created for the old-world of on-premises servers and workstations. The security industry -- vendors and security organizations alike -- have not kept pace with today's digital enterprise, leaving organizations everywhere exposed as the attack surface continues to expand."

IoT concerns
The far-reach connectivity inherent in modern computing environments makes cybersecurity even more challenging. Millard noted that few IoT devices are made with security in mind, which means they don't have the same baseline security requirements that organizations look for. In addition, the security risk is increased when employees bring such devices into the corporate environment without the security team's knowledge or approval.

"Many organizations have quickly realized that IoT has expanded their attack surface and are actively working to manage, measure and reduce the cyber risk the devices introduce," he said. "On the other hand, some organizations are still flying blind when it comes to securing IoT and are unable to identify all of the assets, including transient devices, that are connected to their network."

Researchers with NetScout's ASERT recently found that IoT devices are the targets of increasingly sophisticated botnet attacks that exploit vulnerabilities and attack devices sometimes within minutes of them coming online. That report came soon after another from Trend Micro, which said that the Message Queuing Telemetry Transport (MQTT) protocol and Constrained Application Protocol (CoAP), which are crucial to the machine-to-machine communications that underpin the IoT, are rife with vulnerabilities. (See M2M Protocols Expose IoT Data, Trend Micro Finds.)

In addition to IoT security challenges, businesses are increasingly finding themselves at risk due to security issues of their supply chain partners and others outside of the company.

"The modern attack surface is no longer confined to your corporate network alone," Millard wrote. "Organizations now rely on third parties in the form of consultants, contract workers, partners and property managers, to conduct day-to-day business. The data, systems and assets that are owned, controlled and/or stored by these third parties represent an organization's expanding attack surface. While your corporate security posture might be strong, a weak link in your supply chain can be used to compromise your data or assets."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-08-12
Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. When the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data ...
PUBLISHED: 2022-08-12
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `` or `//` ```js con...
PUBLISHED: 2022-08-12
BookWyrm is a social network for tracking your reading, talking about books, writing reviews, and discovering what to read next. Some links in BookWyrm may be vulnerable to tabnabbing, a form of phishing that gives attackers an opportunity to redirect a user to a malicious site. The issue was patche...
PUBLISHED: 2022-08-12
This Rails gem adds two methods to the ActiveRecord::Base class that allow you to update many records on a single database hit, using a case sql statement for it. Before version 0.1.3 `update_by_case` gem used custom sql strings, and it was not sanitized, making it vulnerable to sql injection. Upgra...
PUBLISHED: 2022-08-12
Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter ...