by Nick Kael
Posted on March 16, 2022
A recent survey of over 500 CTOs across four continents revealed a lot of interesting information and insights. But what really surprised us – and concerned us, too – was the section on “How CTOs are managing risk and protecting data and IP.”
80% of companies smaller than 50 employees do not have a dedicated cybersecurity team. Of companies with over 1000 employees, 18% have no dedicated team. It’s a pretty safe bet (no pun intended) that at least some of the under-50 companies and most of the over-1000 companies use some sort of outsourced solution.
But consider this more troubling stat: 42% of the CTOs surveyed said their companies have no cybersecurity at all. None. No individual who is responsible for cybersecurity, certainly no dedicated team. No managed security service provider (MSSP), not even an outsourced cybersecurity service or consultant.
Given the dramatic increase in both the number of cyberattacks and their sophistication, neglecting cybersecurity is a grave mistake. Small businesses – the under-50 employee companies that have no dedicated cybersecurity teams – most likely assume that they are too small for cybercriminals to bother attacking. But increasing cyberattack automation and growing use of supply chains as a delivery vector put small companies at high risk. And unlike large companies that have the financial resources to weather a cyberattack, a successful cyberattack can be an existential threat for many SMBs.
Cybersecurity is too complicated – and too crucial – to be left to the part-time efforts of an IT generalist.
Going back to the survey, 59% of CTOs saw human error as the greatest threat to security, with ransomware (49%) and phishing (36%) following. Of course, these are not mutually exclusive categories: a lot of ransomware is delivered by way of phishing attacks and falling for phishing attacks is the very essence of human error.
Despite its high ranking as the greatest cybersecurity threat and the many high-profile, crippling, and expensive ransomware attacks of recent years, nearly half of respondents – 47% – have no ransomware protection. In fact, only 10% of respondents have ransomware protection implemented for all cases. To make matters worse, many CTOs reported that their organizations permit deployment of untrusted container images, which frequently contain malware.
Disaster recovery is the most commonly deployed cybersecurity tool among the CTOs surveyed, with over 94% reporting having automated backups in place.
While recovery solutions are a prudent investment, companies would do well to invest in solutions that can protect them from ransomware attacks in the first place. Of course, ideally, both should be deployed, since no prevention scheme is perfect.
One out of 13 respondents – nearly 8% – said they had fallen victim to a cyberattack in the previous 12 months. It’s safe to assume that this figure lowballs the actual number, since companies are reluctant to publicize being attacked. In addition, given the significant number of organizations lacking professional security staff, it is likely that some may not be aware that their networks were breached.
Considering that a successful cyberattack can cripple a company for weeks and recovery costs can far exceed direct losses due to attack, even 8% is a scary statistic.
The best way to protect against all three of the top perceived cybersecurity threats – human error, ransomware, and phishing – is with a Zero Trust approach to securing interactions with web and email.
With a Zero Trust approach, every website, every user, and every network interaction are treated as potentially dangerous. With this in mind, Zero Trust Web Browsing assumes every interaction with the web is risky. To address the risk, a technology called Remote Browser Isolation (RBI) can be used to air-gap users’ devices from ransomware and phishing attacks (thus catching a lot of human error) delivered by the most common threat vectors – emails and the web.
Many small and medium enterprises may believe that Zero Trust security is out of their reach – too costly, too complicated, too difficult to manage. That’s why we created ZTEdge, a Secure Access Service Edge (SASE) solution, specifically to meet security needs of small and medium enterprises. And it is why we partner with excellent Managed Security Service Providers (MSSPs) who make it simple for smaller companies to enjoy the full benefits of Zero Trust security, without in-house cybersecurity expertise and without breaking the budget. Check it out now and start protecting your business from cyberthreats.
The FBI-led takedown of Qakbot was an operation that involved seven countries. Malware was removed from 700,000 computers. But don’t think all that makes you safe.
Generative AI empowers its users to work fast, better and more efficiently. Alas, this includes cybercriminals, who are using malicious GenAI platforms to accelerate zero-day exploit creation.
Cybercriminals love the multiplier effect they get from attacking law firms: Hack in, and they get firm data PLUS juicy confidential client info.