Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12/13/2018
05:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Despite Breaches, Many Organizations Struggle to Quantify Cyber-Risks to Business

Enterprises are struggling with familiar old security challenges as a result, new survey shows.

Many organizations are still struggling to adopt a more risk-focused approach to cybersecurity, although the need for it has been recognized for years.

Some familiar issues have been holding them back, including infrastructure complexity, third-party risks, understaffing, resource shortages, and — most significantly — not measuring cyber-risks and their impact on business.

Security vendor Tenable recently commissioned the Ponemon Institute to evaluate how enterprises are measuring and managing cyber-risk.

The poll of 2,410 IT and security practitioners in the US and other countries showed that a depressingly large number of organizations are continuing to experience business-disrupting cyber incidents — some of them multiple times over a relatively short time. Ninety-one percent of the companies surveyed reported experiencing a damaging cyberattack over the past two years; 60% had two or more.

Thirty-one percent experienced a data breach involving 10,000 or more customer or employee records in the last two years. A substantially larger 52% — more than half of all organizations surveyed — expect they'll experience a breach of this magnitude in 2019.

"At a time when business-disrupting cyber events are impacting almost all organizations, CISOs are unable to confidently quantify cyber-risk's impact to business operations," says Bob Huber, CISO of Tenable. "This is leaving the C-suite and boards of directors without actionable insight to make decisions" to alleviate business risk.

The Tenable survey showed that, with a couple of exceptions, the threats that organizations are most worried about are the same as they have been for the past several years. The top concerns this year were malware, with 48% saying they had experienced at least one malware attack in the past two years; third-party risks (41%); and leakage of emails and other business confidential information (34%).

Worries over some threats, however, appear to be spiking. Sixty-four percent — nearly two-thirds — ranked third-party risks as their top concern for 2019. The number is significantly larger than the 41% that actually reported a security incident involving a third party over the past two years.

Similar spikes were apparent in other areas as well. For example, 56% identified an attack on Internet of Things or operational technology (OT) assets as their biggest cybersecurity concern for 2019, though just 23% reported experiencing an actual attack of this type in the past 24 months. Economic espionage and attacks that disrupt OT infrastructure are also top-of-mind concerns for 2019.

Significantly, for all the hype around nation-state attacks, fewer organizations (13%) expect to experience one in 2019 than the 15% who said they already had become victims of one in the past two years.

The reasons for the overall pessimism appear tied to long-standing factors. Though organizations represented in the survey had 19 employees, on average, involved in vulnerability management, 58% still felt they did not have adequate staffing to scan for vulnerabilities — including publicly disclosed ones — in a timely fashion. Somewhat unsurprisingly, a nearly identical proportion (59%) said they had no set schedule for vulnerability scanning or did not scan at all.

The Tenable/Ponemon survey showed that a substantially high percentage of organizations are struggling to keep pace with the stealth and sophistication of attackers, reduce complexity in their IT security infrastructure, improve third-party controls, and control access to sensitive data.

While such factors have heightened the need for more risk-focused approaches to cybersecurity, Tenable's survey showed that many organizations are still only just getting there.

Risk Measurement & Management: Work in Progress
"While some organizations are making strides in improving their security maturity and mapping cybersecurity strategies to the business, there is still room for improvement," Huber says.

For example, despite the enormous financial implications of data breaches and other security incidents, many organizations still have a poor understanding of the business costs of cyber-risks.

Less than half of the organizations represented in the survey — some 1,110 — claimed they measured and therefore understood the business impact of cyber-risks. Of that, only 41% were required to report that analysis to their board and business leaders. More than six in 10 did not believe their measures were very accurate.

In general, more respondents claimed to understand the importance of certain key performance indicators in understanding risk than are actually using them. For example, 70% and 64%, respectively, considered metrics about the time to remediate risk and the time to assess cyber-risk as important key performance indicators (KPIs). However, 46% and 49%, respectively, are using them.

The same gap was evident in the use of KPIs to measure the business impact of a cyber incident. Sixty-eight percent believed it was important to have a way to measure loss of revenue resulting from a cyber incident, but only 56% actually are using KPIs to do that. Seventy percent said KPIs for measuring loss of productivity were critical even though only 48% are actually using them.

Exacerbating the situation is the fact that the KPIs that organizations are using are designed for on-premises infrastructure and therefore are inadequate for current environments that include a mix of traditional IT, cloud, IoT, containers, and OT, Huber says.

Most KPIs are too technology focused and don't fully take into account the financial and business implications, Huber says. Often, the metrics are tactical rather than strategic in nature and are not very effective at helping organizations mitigate risk, he says.

"Put another way, current cyber KPIs don't consider business outcomes and fall far short of reflecting digital business and digital transformation," Huber notes. "The most common KPIs for cyber-risk and business risk don't correlate right now, and that's a gap."

While CISOs and other security leaders are typically responsible for deploying patches and managing vulnerabilities, they have relatively less influence in determining investments and strategies for vulnerability management. CISOs are most involved in evaluating cyber-risk at only 17% of the organizations represented in the survey — compared with CIOs at 36%.

"In the digital era, cyber-risk is now business risk, and that means CISOs must be able to measure their exposure and map it back to business outcomes," Huber says.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...