Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12/13/2018
05:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Despite Breaches, Many Organizations Struggle to Quantify Cyber-Risks to Business

Enterprises are struggling with familiar old security challenges as a result, new survey shows.

Many organizations are still struggling to adopt a more risk-focused approach to cybersecurity, although the need for it has been recognized for years.

Some familiar issues have been holding them back, including infrastructure complexity, third-party risks, understaffing, resource shortages, and — most significantly — not measuring cyber-risks and their impact on business.

Security vendor Tenable recently commissioned the Ponemon Institute to evaluate how enterprises are measuring and managing cyber-risk.

The poll of 2,410 IT and security practitioners in the US and other countries showed that a depressingly large number of organizations are continuing to experience business-disrupting cyber incidents — some of them multiple times over a relatively short time. Ninety-one percent of the companies surveyed reported experiencing a damaging cyberattack over the past two years; 60% had two or more.

Thirty-one percent experienced a data breach involving 10,000 or more customer or employee records in the last two years. A substantially larger 52% — more than half of all organizations surveyed — expect they'll experience a breach of this magnitude in 2019.

"At a time when business-disrupting cyber events are impacting almost all organizations, CISOs are unable to confidently quantify cyber-risk's impact to business operations," says Bob Huber, CISO of Tenable. "This is leaving the C-suite and boards of directors without actionable insight to make decisions" to alleviate business risk.

The Tenable survey showed that, with a couple of exceptions, the threats that organizations are most worried about are the same as they have been for the past several years. The top concerns this year were malware, with 48% saying they had experienced at least one malware attack in the past two years; third-party risks (41%); and leakage of emails and other business confidential information (34%).

Worries over some threats, however, appear to be spiking. Sixty-four percent — nearly two-thirds — ranked third-party risks as their top concern for 2019. The number is significantly larger than the 41% that actually reported a security incident involving a third party over the past two years.

Similar spikes were apparent in other areas as well. For example, 56% identified an attack on Internet of Things or operational technology (OT) assets as their biggest cybersecurity concern for 2019, though just 23% reported experiencing an actual attack of this type in the past 24 months. Economic espionage and attacks that disrupt OT infrastructure are also top-of-mind concerns for 2019.

Significantly, for all the hype around nation-state attacks, fewer organizations (13%) expect to experience one in 2019 than the 15% who said they already had become victims of one in the past two years.

The reasons for the overall pessimism appear tied to long-standing factors. Though organizations represented in the survey had 19 employees, on average, involved in vulnerability management, 58% still felt they did not have adequate staffing to scan for vulnerabilities — including publicly disclosed ones — in a timely fashion. Somewhat unsurprisingly, a nearly identical proportion (59%) said they had no set schedule for vulnerability scanning or did not scan at all.

The Tenable/Ponemon survey showed that a substantially high percentage of organizations are struggling to keep pace with the stealth and sophistication of attackers, reduce complexity in their IT security infrastructure, improve third-party controls, and control access to sensitive data.

While such factors have heightened the need for more risk-focused approaches to cybersecurity, Tenable's survey showed that many organizations are still only just getting there.

Risk Measurement & Management: Work in Progress
"While some organizations are making strides in improving their security maturity and mapping cybersecurity strategies to the business, there is still room for improvement," Huber says.

For example, despite the enormous financial implications of data breaches and other security incidents, many organizations still have a poor understanding of the business costs of cyber-risks.

Less than half of the organizations represented in the survey — some 1,110 — claimed they measured and therefore understood the business impact of cyber-risks. Of that, only 41% were required to report that analysis to their board and business leaders. More than six in 10 did not believe their measures were very accurate.

In general, more respondents claimed to understand the importance of certain key performance indicators in understanding risk than are actually using them. For example, 70% and 64%, respectively, considered metrics about the time to remediate risk and the time to assess cyber-risk as important key performance indicators (KPIs). However, 46% and 49%, respectively, are using them.

The same gap was evident in the use of KPIs to measure the business impact of a cyber incident. Sixty-eight percent believed it was important to have a way to measure loss of revenue resulting from a cyber incident, but only 56% actually are using KPIs to do that. Seventy percent said KPIs for measuring loss of productivity were critical even though only 48% are actually using them.

Exacerbating the situation is the fact that the KPIs that organizations are using are designed for on-premises infrastructure and therefore are inadequate for current environments that include a mix of traditional IT, cloud, IoT, containers, and OT, Huber says.

Most KPIs are too technology focused and don't fully take into account the financial and business implications, Huber says. Often, the metrics are tactical rather than strategic in nature and are not very effective at helping organizations mitigate risk, he says.

"Put another way, current cyber KPIs don't consider business outcomes and fall far short of reflecting digital business and digital transformation," Huber notes. "The most common KPIs for cyber-risk and business risk don't correlate right now, and that's a gap."

While CISOs and other security leaders are typically responsible for deploying patches and managing vulnerabilities, they have relatively less influence in determining investments and strategies for vulnerability management. CISOs are most involved in evaluating cyber-risk at only 17% of the organizations represented in the survey — compared with CIOs at 36%.

"In the digital era, cyber-risk is now business risk, and that means CISOs must be able to measure their exposure and map it back to business outcomes," Huber says.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .