RSA Research: 75% of organisations at risk, says cyber security mindsets must change
Cyber risk statistics are still high, according to RSA's latest survey that shows 75% of respondents have a significant cyber security risk exposure.
This, the research says, is because too many organizations are relying on perimeter-based solutions, while better-equipped organizations use detection and response technologies.
The survey analysed responses from 878 respondents in 81 countries and more than 24 industries, and respondents also self-assessed their organizations through the NIST Cybersecurity Framework (CSF).
The CSF framework used a 5-point scale to rate five functions: Identification, protection, detection, response and recovery. It was run by RSA Research, an EMC Security Division.
"This second round of cybersecurity research provides tangible evidence that organizations of all sizes, in all industries and from all geographies feel unprepared for the threats they are facing. We need to change the way we are thinking about security, to focus on more than just prevention – to develop a strategy that emphasizes detection and response. Organizations need to set their agendas early, build comprehensive strategies and not wait for a breach to force them into action," says Amit Yoran, president, RSA, The Security Division of EMC.
The survey found that Incident Response (IR) capabilities are underdeveloped, with 45% of all respondents saying IR capabilities are 'ad hoc' or 'non-existent'.
According to RSA, organizations' inability to quantify the risks and potential impacts of threats make it harder to prioritise mitigation and investment. These two areas are the foundation for building security and risk management protocols.
The survey also showed that organizations are more likely to improve their security after they have experienced a cyber attack that has impacted their business. In addition, many organizations ignore cybersecurity because they do not understand how cyber risks can affect them.
The report confirmed that 65% of organizations that experience frequent incidents are more likely to have developed or advantaged cyber maturity capabilities. It demonstrates that experience is key to developing maturity, but the report says organizations must focus on prevention more than detection and response.
There was also a small increase in the number of organizations that have mature cybersecurity programmes with advantaged capabilities, from 4.9% to 7.4%.
The survey highlights that critical infrastructure operators such as government and energy providers need to improve their cyber maturity. Only 18% of government and energy providers ranked their organizations as developed or advantaged.
Conversely, defense organizations and air operators reported the highest maturity, at 39% described themselves as developed or advantaged.
Only 26% of financial service organizations rated themselves as well-prepared for attacks, a decrease of 7%.
Paul Jespersen, vice president of Enterprise Business Development and Emerging Products at Comodo, says phishers are using wide nets to catch as many victims as possible.
“They then use social engineering, public information and social media to send convincing emails from what appears to be a trusted executive, attorney or associated vendor asking for wiring of a reasonable amount of money— as not to raise red flags. They put in this effort because they know that people are likely to fall for these well-executed schemes if they can be made to believe they are authentic requests," Jespersen says.
“In addition to technology solutions to restrict access, guarantee identity and trust, and protect against malware exploits, it’s critical for business employees to use common sense and stay alerted by their IT departments on the existence of business email scams. Employees can look out for any anomalies in the sender’s email domain, where the cybercriminal will often change one letter—making it difficult to spot the difference. And if employees are unsure of the legitimacy of a transfer request, they should contact IT and confirm verbally or outside of email with that executive or vendor for verification before proceeding. These tips apply to all forms of phishing, spearphishing and cybercrime, and all employees should be reminded of them regularly,” Jespersen concludes.