According to security and analytics experts, companies worldwide spent a combined $114b on security products (both hardware and software) and services last year. This figure is expected to exceed $140b by 2021. According to the Ponemon Sullivan report, in 2017, the average data breach cost was $3.62 million. 66% of respondents believe data breaches or cyber-security exploits will seriously diminish their organization’s shareholder value. Organizations are making customer data protection and proprietary secrets a priority and want to limit the risk of brand reputation resulting from a data breach. That’s why boosting their efforts to improve their cyber-security posture is high on their priority list. Unknown attacks’ range and scope dictate how they harden their security posture while staying within budget. Since the risk of being attacked is so high, C-level managers are now more aware and understand the responsibility. CIOs are raising the pressure to prioritize cyber-security and shift budgets to acquire security solutions, and at times make decisions based on assumptions. According to a recent survey conducted by EY, 42% of responding CIOs are willing to invest more than 10% of their annual IT budget in cyber-security.
For CIOs, making organizations cyber resilient by getting cyber-security right is far from simple. In contrast to what some technology providers claim, no one solution can solve al everything. Organizations expect cyber-security solutions to be “plug-and-play”. However, to be effective, those solutions need to be customized. They are more complex than CIOs expect, and only by adapting, adjusting, and updating those regularly are they efficient. That’s a luxury that only a few organizations can afford.
CIOs are facing an uphill battle in their fight to boost the cyber-security posture of their organizations. They are stuck with security products that have been purchased over time; an investment that top management is clinging onto. CISOs are under more and more pressure to deliver (especially post-GDPR) and are asking for more products, services, and staff to get the job done. In many cases, CIOs are confronted with requests for more budget from within the organization. Threat intelligence or incident response teams are asking for a budget to boost the organization’s policy and compliance, invest more in security information & event management, and even extend endpoint threat detection or forensics & incident investigation.
Since cyber-attacks are becoming more complex, severe, and persistent, it has become impossible to find a single vendor who can solve it all. There are also too many products that had been purchased, and CIOs don’t know where major weaknesses and unprotected assets are hiding or where there are overlaps in the organization’s cyber-security tooling. I is time for CIOs to adopt a new approach – instead of guessing how their organization will cope with the next cyber-attacks, they simply need to simulate the attack lifecycle, which consists of several stages:
- To gain initial access, attackers use various strategies, (e.g., drive-by compromise, exploiting public-facing application which takes advantage of weaknesses, hardware and software additions that can be abused by attackers, lateral movements and hopping, spear phishing attachments to launch the attached malware, etc.
- For execution, the attackers use techniques that result in them having control over the malicious code on a local or remote system. They maintain access to the attacked systems and use privilege escalation to get a higher level of permissions on a system or network. They also use techniques to avoid detection or defenses during all phases of their attack.
- Discovery allows an attacker to gain knowledge about the system and internal network. The operating system provides many native tools that help attackers to gather the information that they can use e.g., stealing sensitive or financial information. They also collect information for
- Exfiltration allows an attacker to steal files and information from the compromised network.
- Their Command & Control center allows the attacker to communicate with the systems under their control within the compromised network and keep on exfiltrating information that is profitable for them.
Considering these various attack stages, it’s essential for CIOs to find out where there are weaknesses and where there are overlaps in the organization’s cyber-security protection. A professional Breach & Attack Simulation (BAS) platform will provide CIOs with a fresh perspective regarding their existing practices and investments and will identify all security vulnerabilities to be solved. This also allows the organization to invest wisely, both financially and strategically. The results and the recommendations provided by the platform will give the decision-makers the information they need for making the necessary changes in their data security products and services, and the ability to save funds when overlaps are detected.
Test the effectiveness of your security controls against possible cyber threats with a 14-day trial of Cymulate’s platform.
Don’t speculate, Cymulate