Study Suggests Businesses Are Not Prepared for the Escalation in Cyberattacks

By | October 14, 2022

Businesses are appreciating the importance of cybersecurity and realizing that they need to invest more heavily in cybersecurity as threats are evolving at such a rapid pace. The challenge for businesses is ensuring that their defenses allow them to stay one step ahead of cybercriminals, but the frequency at which data breaches are being reported suggests many businesses are struggling to keep up the pace.

In order to understand how to keep their businesses secure, IT leaders need to know how cybercriminals are bypassing defenses. They can then make informed decisions about the security solutions they need to invest in that will give them the best ROI in terms of security.

Keeper Security recently conducted a survey to explore how cybersecurity is transforming and where businesses are investing in cybersecurity tools. The survey was conducted on 516 IT decision-makers in the United States and the findings were published in Keeper’s 2022 U.S. Cybersecurity Census Report. The report delves into the threats that businesses face and the strategies that can be adopted by businesses to better deal with cyber threats and stay one step ahead of the threat actors that are trying to breach their networks.

Businesses realize that cybersecurity is a key priority. 71% of businesses said they have made new hires in cybersecurity in the past 12 months, but even with additional skilled staff, there is concern among businesses that they will not be able to maintain pace with the fast-evolving cyber threat landscape.

According to the study, U.S. business experiences an average of 42 cyberattacks a year and IT leaders predict that attacks will increase in the next 12 months. A majority of respondents said they were confident in their ability to defend against cyber threats and that they believe they have the cybersecurity solutions and tools in place to protect against attacks, even though an overwhelming majority of surveyed organizations experienced a successful cyberattack in the past year. IT leaders also report that it is now taking longer to identify and respond to cyberattacks.

The survey confirmed the impact cyberattacks are having on businesses. 31% of businesses said they had experienced a successful cyberattack that had disrupted partner/customer operations, with the same percentage saying attacks resulted in the theft of financial information. 28% said attacks caused reputational damage, with the same percentage saying corporate information was stolen. Almost a quarter said attacks resulted in disruption of the supply chain and trading/business operations. These attacks are having a considerable financial impact on businesses. On average, successful attacks cost businesses $75,000 per incident, with almost 4 in 10 organizations saying attacks have cost more than $100,000 to resolve.

While there was a high degree of confidence in cybersecurity defenses, the survey revealed the technology being used to defend against attacks was missing essential tools. Almost one-third of businesses did not have a management platform for IT secrets, such as API keys, database passwords, and privileged credentials. 84% of respondents were concerned about hard-coded credentials in source code, yet 25% of businesses did not have any software in place to remove them.

58% of Americans now spend at least some of the week working remotely, yet more than a quarter of businesses said they do not have a remote connection management solution in place to allow their IT infrastructure to be accessed securely by remote workers.

Identity and access management vulnerabilities were also identified. Only 44% of businesses said they provide their employees with best practices governing passwords and access management, and three out of 10 businesses let their employees set and manage their own passwords and admitted employees frequently share access to passwords. Only 26% of businesses said they have a highly sophisticated framework in place for visibility and control of identity security.

“This laissez-faire approach to access management makes it clear that more must be done to keep organizations and their employees protected,” explained Keeper Security in the report. “Despite these issues presenting a clear threat to businesses, fewer than half of respondents state they have plans to invest in password management, visibility tools for network-based threats, or infrastructure secrets management.”

The main areas where businesses plan to invest in security in the next 12 months are security awareness training (54%), creating a culture of compliance (50%), password management (48%), improving visibility to detect network threats (44%), infrastructure secrets management (42%), and passwordless authentication (42%). Despite its importance, only 32% of businesses said they are planning to adopt a zero-trust and zero-knowledge approach to security.

While it is encouraging to see many businesses making cybersecurity a key priority, the survey revealed a lack of transparency about cyberattacks at many businesses. 48% of IT leaders said they were aware of a cyberattack and kept it to themselves. “For U.S. businesses to become truly secure, perhaps the biggest change that must be made is cultural,” explained Keeper Security in the report. “Nearly half of IT leaders admitted to keeping a cyberattack they were aware of to themselves (suggesting they did not report it to any relevant authority). This figure should shock business leaders. Without a culture of trust, accountability, and responsiveness, cybercriminals will thrive.”

The post Study Suggests Businesses Are Not Prepared for the Escalation in Cyberattacks appeared first on HIPAA Journal.