A new study reveals that due to the growing surface of threats from hybrid work and third-party vendors, only half of organizations have the budget to meet today’s cybersecurity needs.
With the tech industry downsizing, with headliners like Amazon, Microsoft, Meta, Google and Salesforce, Coinbase, Crypto.com, Lyft, Netflix, Intel and more, businesses face 2023 with a small group of security experts and tighter budgets.
SEE: How to recruit and hire a security analyst (TechRepublic Premium)
Results from a bi-weekly online survey of security professionals in EMEA and the United States by security firm Neustar International suggest that few organizations believe they have sufficient defenses on their threat surfaces, and only half of respondents said they have sufficient budgets to meet their security needs. Only one in 10 admits they are prepared to protect only their most critical assets.
Security teams asked to do more with less
Carlos Morales, senior vice president of solutions at Neustar Security Services, acknowledged in the study that IT teams are stretched as threat surfaces expand, and they are forced to take on new responsibilities and launch new initiatives – while facing staff shortages.
“With increasing budget pressures, IT and security teams are again being asked to do more with less, which will likely accelerate the adoption of service-based offerings that allow enterprises to flexibly scale up resources in based on demand,” Morales said.
Third-party vendors expand the surface of threats
Eighty-five percent of respondents said hybrid working had increased their organization’s reliance on third-party vendors for outsourcing people and resources, and 78% said this shift had made their organization more vulnerable to attack.
Respondents ranked distributed denial of service attacks as the biggest perceived threat (22%), followed by system compromise (20%) and ransomware (18%), with 87% of respondents reporting that their organization has been victim of a DDoS attack at some point.
A majority of companies surveyed said they outsource their DDoS mitigation, and most (60%) take between 60 seconds and five minutes to initiate mitigation.
In the survey of business leaders and senior managers, CTOs and other professionals, only 34% of respondents said they thought their current cybersecurity strategy was very adequate, with around 60% the considered quite adequate.
SEE: Mobile Device Security Policy (TechRepublic Premium)
Leaders worry about growing sophistication of attacks
In addition to doubts about companies’ security strategies, 35% of respondents said their organization’s cybersecurity budget would stay the same or decrease in 2023, and 44% of those people believe their company will be more exposed and challenged. risk accordingly.
When survey participants were asked to identify the most significant current risks to their organization’s IT security posture:
- The main concern was the increased sophistication of attacks, a sentiment shared by 60% of respondents.
- Increased attacker activity, mentioned by 54% of respondents, was the second most common concern.
- Budget constraints and the larger attack surface of an increasingly borderless business operation were each mentioned as concerns by 35% of respondents.
- 27% of respondents highlighted lack of resources, such as talent, security skills gaps and burnout.
- 19% of respondents cited too many tools and alerts to manage as a risk.
A large majority of respondents agree that C-suite and board decision-makers understand the current security threats facing their organization (83%), recognize the importance of having a layered defense strategy (81%) and make protecting the organization an integral part of business operations (80%). However, a significant portion of participants (69%) are also concerned that current budget constraints limit the use of new implementation strategies, technologies and practices.
When asked which threat vectors they believe are on the rise, ransomware was the most cited (75%), followed by phishing (74%), DDoS attacks (72%), and targeted hacking and social engineering via email (71%).
Resilience includes bringing CISOs to C-Suite
According to a study based on a recently published World Economic Forum survey, more than half of cyber leaders meet with business leaders once a month, or more frequently, to discuss cybersecurity topics. The benefits are powerful, according to respondents from companies that follow the practice, as it sheds light on cybersecurity priorities.
The WEF survey found that among respondents who meet at least once a month, 36% believe their organization is cyber-resilient. Only 8% of these respondents say their organization is not cyber-resilient or that they are concerned about their organization’s ability to be cyber-resilient.
The WEF study also suggests that a direct conversation between CISOs and business decision makers can have a positive influence on cybersecurity budgets, but a third of cybersecurity leaders surveyed ranked gaining executive support as the most difficult aspect of managing cyber resilience.
Upgrading skills will be an essential part of reverse engineering attacks and capping zero-day vulnerabilities and more. Consider downloading these tools to become an ethical hacker and reap the benefits.