Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12/13/2018
05:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Despite Breaches, Many Organizations Struggle to Quantify Cyber-Risks to Business

Enterprises are struggling with familiar old security challenges as a result, new survey shows.

Many organizations are still struggling to adopt a more risk-focused approach to cybersecurity, although the need for it has been recognized for years.

Some familiar issues have been holding them back, including infrastructure complexity, third-party risks, understaffing, resource shortages, and — most significantly — not measuring cyber-risks and their impact on business.

Security vendor Tenable recently commissioned the Ponemon Institute to evaluate how enterprises are measuring and managing cyber-risk.

The poll of 2,410 IT and security practitioners in the US and other countries showed that a depressingly large number of organizations are continuing to experience business-disrupting cyber incidents — some of them multiple times over a relatively short time. Ninety-one percent of the companies surveyed reported experiencing a damaging cyberattack over the past two years; 60% had two or more.

Thirty-one percent experienced a data breach involving 10,000 or more customer or employee records in the last two years. A substantially larger 52% — more than half of all organizations surveyed — expect they'll experience a breach of this magnitude in 2019.

"At a time when business-disrupting cyber events are impacting almost all organizations, CISOs are unable to confidently quantify cyber-risk's impact to business operations," says Bob Huber, CISO of Tenable. "This is leaving the C-suite and boards of directors without actionable insight to make decisions" to alleviate business risk.

The Tenable survey showed that, with a couple of exceptions, the threats that organizations are most worried about are the same as they have been for the past several years. The top concerns this year were malware, with 48% saying they had experienced at least one malware attack in the past two years; third-party risks (41%); and leakage of emails and other business confidential information (34%).

Worries over some threats, however, appear to be spiking. Sixty-four percent — nearly two-thirds — ranked third-party risks as their top concern for 2019. The number is significantly larger than the 41% that actually reported a security incident involving a third party over the past two years.

Similar spikes were apparent in other areas as well. For example, 56% identified an attack on Internet of Things or operational technology (OT) assets as their biggest cybersecurity concern for 2019, though just 23% reported experiencing an actual attack of this type in the past 24 months. Economic espionage and attacks that disrupt OT infrastructure are also top-of-mind concerns for 2019.

Significantly, for all the hype around nation-state attacks, fewer organizations (13%) expect to experience one in 2019 than the 15% who said they already had become victims of one in the past two years.

The reasons for the overall pessimism appear tied to long-standing factors. Though organizations represented in the survey had 19 employees, on average, involved in vulnerability management, 58% still felt they did not have adequate staffing to scan for vulnerabilities — including publicly disclosed ones — in a timely fashion. Somewhat unsurprisingly, a nearly identical proportion (59%) said they had no set schedule for vulnerability scanning or did not scan at all.

The Tenable/Ponemon survey showed that a substantially high percentage of organizations are struggling to keep pace with the stealth and sophistication of attackers, reduce complexity in their IT security infrastructure, improve third-party controls, and control access to sensitive data.

While such factors have heightened the need for more risk-focused approaches to cybersecurity, Tenable's survey showed that many organizations are still only just getting there.

Risk Measurement & Management: Work in Progress
"While some organizations are making strides in improving their security maturity and mapping cybersecurity strategies to the business, there is still room for improvement," Huber says.

For example, despite the enormous financial implications of data breaches and other security incidents, many organizations still have a poor understanding of the business costs of cyber-risks.

Less than half of the organizations represented in the survey — some 1,110 — claimed they measured and therefore understood the business impact of cyber-risks. Of that, only 41% were required to report that analysis to their board and business leaders. More than six in 10 did not believe their measures were very accurate.

In general, more respondents claimed to understand the importance of certain key performance indicators in understanding risk than are actually using them. For example, 70% and 64%, respectively, considered metrics about the time to remediate risk and the time to assess cyber-risk as important key performance indicators (KPIs). However, 46% and 49%, respectively, are using them.

The same gap was evident in the use of KPIs to measure the business impact of a cyber incident. Sixty-eight percent believed it was important to have a way to measure loss of revenue resulting from a cyber incident, but only 56% actually are using KPIs to do that. Seventy percent said KPIs for measuring loss of productivity were critical even though only 48% are actually using them.

Exacerbating the situation is the fact that the KPIs that organizations are using are designed for on-premises infrastructure and therefore are inadequate for current environments that include a mix of traditional IT, cloud, IoT, containers, and OT, Huber says.

Most KPIs are too technology focused and don't fully take into account the financial and business implications, Huber says. Often, the metrics are tactical rather than strategic in nature and are not very effective at helping organizations mitigate risk, he says.

"Put another way, current cyber KPIs don't consider business outcomes and fall far short of reflecting digital business and digital transformation," Huber notes. "The most common KPIs for cyber-risk and business risk don't correlate right now, and that's a gap."

While CISOs and other security leaders are typically responsible for deploying patches and managing vulnerabilities, they have relatively less influence in determining investments and strategies for vulnerability management. CISOs are most involved in evaluating cyber-risk at only 17% of the organizations represented in the survey — compared with CIOs at 36%.

"In the digital era, cyber-risk is now business risk, and that means CISOs must be able to measure their exposure and map it back to business outcomes," Huber says.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1874
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protection mechanisms on the web-ba...
CVE-2019-1875
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient validation of user-supplied input by t...
CVE-2019-1876
PUBLISHED: 2019-06-20
A vulnerability in the HTTPS proxy feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker to use the Central Manager as an HTTPS proxy. The vulnerability is due to insufficient authentication of proxy connection requests. An attacker could exp...
CVE-2019-1878
PUBLISHED: 2019-06-20
A vulnerability in the Cisco Discovery Protocol (CDP) implementation for the Cisco TelePresence Codec (TC) and Collaboration Endpoint (CE) Software could allow an unauthenticated, adjacent attacker to inject arbitrary shell commands that are executed by the device. The vulnerability is due to insuff...
CVE-2019-1879
PUBLISHED: 2019-06-20
A vulnerability in the CLI of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient validation of user-supplied input at the CLI. An attacker could exploi...