At the end of 2021, we at Cymulate conducted a survey on ransomware. While the number of ransomware attacks has reached epic proportions, the breaches survey participants gave prescriptive and tangible advice based on how they had been successful in reducing ransomware’s damage and duration. As the epidemic became so widespread and business-impacting, elevating risk beyond the realm of cyber security and IT professionals, words of cyber-risks cruciality reached business leaders. They, in turn, ensured that their organizations received additional resources in personnel, improved cyber security solutions integration, implemented additional best practices, adopted proactive offensive testing, and modified their incident response plans. The outcome showed that when ransomware attacks occur, the damage and duration of the attacks can indeed be minimized in most situations with the proper measures.
In our 2022 Cymulate Breaches Survey, we reached out to cyber and IT professionals globally to better understand breaches’ causes, impact, outcomes, and mitigating factors. Spread over industries ranging from technology, banking, and finance to government, medical, and more, over 858 participants from across North America, APAC & LATAM, and covering a wide array of industries took the time to answer the survey questions. Respondents worked in a wide variety of roles including cybersecurity, IT, developers, business, and risk management, in companies ranging from less than 100 to more than 100K employees.
Critical Findings to Reduce the Number of Breaches and Breach Damage and Duration
To ensure statistical relevance and avoid bias, we partnered with an independent research firm, Global Surveys. The fascinating results uncovered can be presented in five key takeaways.
1. Worrying Human Risk Factor
The human factor in cyber breaches remains a troublesome issue for most. End-user phishing was the source of over half of all breaches (56%). When combined with the insider threat vector (29%), defined as non-phishing-related employee activity, with or without malicious intent, the number of breaches stemming from a human at its source reaches a staggering 85%.
We must increase the efficacy of phishing awareness campaigns and ensure they are regularly updated to include the ever-changing phishing attack practices. Every single employee must be aware that breaches occur not only through email but also through other mediums such as messaging applications, social media accounts, and even phone calls. Beyond this, the numbers indicate that a broader and deeper cyber security education across the board is essential. Users, as well as employees, must be taught the importance of validating sources and the risks of downloading and installing applications, the importance of good data hygiene, and credentials protection, among other things.
2. Criticality of Best Practices
Beyond education, organizations must get better at truly incorporating least privilege, authentication, and authorization practices, including multifactor authentication. Lack of best practices adoption is a reliable predictor of breaches an organization will experience. This mirrors our 2021 State of Cybersecurity Awareness that assessed over 1 million simulated, real-world-based offensive tests performed by our Cymulate customers in 2021 that already showed the extent to which attackers take advantage of a lack of least privileges and MFA implementation.
3. Hidden Dangers of Third Parties
The second-largest source of cyber breaches was third parties connected to the organization. This included both third-party employees, suppliers, contractors, third-party applications/data feeds, and supply-chain sources. In a world where most organizations are extensively interconnected, being able to visualize and understand third-party exposure and risks is critical. Implementing leak-proof asset segmentation, least privilege policies, enforced MFA, and audit trails are essential.
As the survey also showed that only 22% of the breaches were publicly disclosed, meaning that suppliers continue to provide service despite experiencing a breach, it is imperative to include a timely breach disclosure clause in service level agreements with all third-party suppliers.
4. Adopting a Reactive Approach Is More Expensive and Less Effective
It is human nature to say, “it won’t happen to me.” It is a common psychological reaction that impedes many organizations from taking proactive action to preempt breaches, despite technological improvements and increased availability of proactive adversarial cyber solutions.
The survey indicated that a reactive stance – acting only after a breach occurred – raised the risks of additional breaches with damaging consequences. Respondents breached once or more were 60% more likely to be breached again than respondents who had never been breached. Given the post-breach prohibitive costs ranging from hiring security consultants (35%), public disclosure (22%), hiring PR consultants (12%), and paying regulatory fines (4%), switching to a proactive approach is both safer and cheaper.
5. Including Executives in the Decisional |Process is Critical
The survey uncovered that the participation of executives in the entire process is critical and that the number of breaches was inversely correlated with the number of times executives and business leaders met with cyber security teams to discuss risk reduction.
Those who met 15 times a year or more had zero breaches, and those who met ten times a year experienced only one breach. As the number of meetings dropped, the number of breaches rose dramatically.
Beyond participation, we tracked executives’ awareness of breaches. While executives’ involvement in risk reduction meetings is directly correlated with a decrease in the number of breaches, when executives are merely aware of the breaches, the correlation between increased awareness and increased security is far less pronounced. This confirms the findings from our survey on ransomware. Actively including executives in the breach prevention and productivity improvement process is therefore critical.
Breach Damage to Small and Medium Businesses is Proportionally Highest
As cyber practitioners, we often heard leaders from smaller to midsize companies state that they were “less important” to attackers, less likely to be hit, would suffer less damage, and recover faster. This is simply not the case. The survey data shows that medium (250 – 2,500 employees) and small businesses (250 employees or less) probability of being targeted is as high as that of large or extra-large organizations (2500 or more employees).
Bottom line, all sized businesses are attacked. There is no such thing as “I’m not big enough to be a target.” More importantly, if you are a small to medium size company, the survey shows that the impact on your business will be more significant. Even worse, it will take you longer to recover than larger organizations with more resources, money, and staff capable of investing more effort in comprehensively applying best practices and deploying more solutions.
In addition to these insights, we looked at the most impactful practices and solutions, particularly the adoption of offensive cybersecurity solutions.
Top Four Breach Prevention Practices
The survey results identified the four top practices to incorporate to better prevent, mitigate, and remediate breaches. The impact of the adoption rate of these four practices:
- Multifactor authentication adoption (67%).
- Corporate phishing and awareness campaigns (53%)
- Incident response planning and practice (44%)
- Least privileges adoption at (43%)
translated into experiencing an average of 1.1 breaches in the last year.
The other three practices included in the survey:
- application security in CI/CD pipelines (20%)
- moving MS Exchange to a cloud-managed model (15%)
- hiring MSSPs to offload portions of activities (10%)
translated into experiencing up to 2.1 breaches in the last year.
This is one of the most compelling statistics in the report. Adopting MFA and corporate phishing awareness campaigns, implementing and practicing IR plans and least privileges adoption enterprises significantly reduced the number of breaches. Though less flagrantly, those who also incorporated application security in CI/CD pipelines, moved their MS Exchange to a cloud-managed model or hired MSSPs to offload a portion of their activities also greatly benefited from it, seeing reductions in the number of breaches.
These seven practices need to be incorporated by all.
Top Four Breach Prevention Solutions
The survey results identified which four top solutions to incorporate to better prevent, mitigate, and remediate breaches. The impact of the adoption rate of these four solutions:
- Web Application Firewalls (WAFs) and API protection (47%)
- EDR (45%)
- Identity Access Management (44%)
- Email Security Gateways (41%)
This makes sense as the entire IT world seems to be based on applications, most often with a web front-end. Especially when correlated to our 2021 State of Cybersecurity Awareness showed that attackers were not only successful in taking advantage of front-end applications but optimizing WAFs was a complex operation often delayed. I think that the solutions being adopted are not merely Web Application Firewall adoption, but true API security as API technology has become mission-critical and much vaster in scope than before.
Offensive Testing Techniques Adoption
As the premier Extended Security Posture Management solution, we were keenly interested in seeing how many of the respondents had adopted offensive testing techniques. Beyond traditional third-party pen-testing (62%) and in-house pen-testing (59%), we saw an increase in the number of enterprises engaging in advanced offensive testing capabilities. Attack Surface Management adoption reached (53%) followed by Breach Attack Simulation (48%), Purple Teaming (34%), and Automated Red Teaming Campaigns at 33%.
It is encouraging to see such a rise in offensive testing adoption, now implemented by over half of all participants. In future surveys, we will explore adversarial techniques more in-depth.
By directly surveying global organizations and gaining their critical feedback, we could shine a light on independent, third-party validated best practices and best-performing solutions. Hopefully, more organizations will adopt those practices and integrate those solutions to optimize their security controls and gain more value for their cybersecurity spending while reducing their overall risk. As an added benefit, organizations that adopt using them will experience minimized damage with little to no business disruptions if a breach still occurs.
To read the full report: