Many security executives say they’re unprepared for the threats that lie ahead

Security officers surveyed by ThoughtLab expect an increase in attacks over the next two years from cybercriminals and nation-states using social engineering and ransomware.

As cyberattacks grow in both number and sophistication, organizations are increasingly under the gun to protect themselves from compromise. Though companies have responded by upping their security budgets and adopting more advanced defenses, keeping up with the threats that will surface over the next few years will be a challenge. A report released Tuesday by research firm ThoughtLab looks at how businesses and government agencies can better defend themselves against the security threats that lie ahead.

SEE: Mobile device security policy (TechRepublic Premium)

For its report titled “Cybersecurity Solutions for a Riskier World,” ThoughtLab studied the security practices and performance of 1,200 companies in 13 industries and the public sector across 16 countries. As part of its survey, the firm elicited responses from a range of C-suite executives, managers and other officials with some level of responsibility for cybersecurity. ThoughtLab also interviewed and held peer group sessions with security experts around the world.

In 2021, the average number of cyberattacks and data breaches increased by 15.1% from the previous year. Over the next two years, the security executives polled by ThoughtLab see a rise in attacks from social engineering and ransomware as nation-states and cybercriminals grow more sophisticated. The main causes of these attacks will come from misconfigurations, human error, poor maintenance and unknown assets.

The increase in security threats has prompted organizations to boost their cybersecurity spending. From 2021 to 2022, security budgets as a share of overall revenue jumped by 51%. This year’s budgets will comprise 12% to 15% of overall enterprise IT spending, double the numbers from the recent past. At the same time, cybersecurity has transitioned from an IT issue to a key area for business risk, involving senior management and the board of directors for many organizations.

Despite the increased efforts to combat security threats, many of those interviewed by ThoughtLab see several reasons for alarm.

A full 44% of the executives surveyed said that their growing use of partners and suppliers exposes them to significant security risks. Some 30% said their budgets aren’t sufficient to ensure proper cybersecurity, while several pointed out that the criminals are better funded. A quarter of all the respondents said the convergence of digital and physical systems, such as Internet of Things devices, has increased their security risks.

Further, 41% of the executives don’t think their security initiatives have kept up with digital transformation. More than a quarter said that new technologies are their biggest security concern. And just under a quarter cited a shortage of skilled workers as their largest cybersecurity challenge.

To help you and your organization better prepare for the security threats that lie ahead, ThoughtLab offers the following ten recommendations:

• Apply the right cybersecurity framework. Organizations that apply the NIST cybersecurity framework do better on such key goals as reducing the number of breaches, shortening the time to detect a breach, and decreasing the time to mitigate an attack.
• Make sure your cybersecurity budgets are sufficient. Organizations that reported no material breaches in 2021 spent more on security than did those that were hit by multiple breaches. Spending more on security also resulted in less time taken to detect and mitigate an attack.
• Implement a risk-based approach to security. Organizations that adopted a risk-based approach saw fewer material breaches and cyber incidents. Further, 40% of security executives said they adhere to Zero Trust
• Focus your cybersecurity efforts around people. Organizations that provide effective security training, successfully recruit and retain security staff, and are sensitive to security risks see fewer breaches and take less time to respond to a breach.
• Secure your supply chain. Organizations that pay attention to supply-chain security do better at detecting, responding to and mitigating security threats.
• Adopt the latest technologies but don’t overdo it. Organizations that reported no breaches invested in basic defenses such as email security and identity management as well as specialized tools such as cloud access security brokers, cyber-risk models and SIEMs. But the trick is to adopt a multi-layered strategy without crowding your environment with too many disparate and disconnected security technologies. Consolidation is key.
• Protect your linked IT and OT assets. As digital and physical environments converge, organizations that focus on protecting interconnected IT and OT assets are hit with fewer breaches and take less time to detect and respond to an attack.
• Take advantage of automated intelligence. Using artificial intelligence and machine learning can lead to more effective security while also freeing up your staff from more mundane tasks.
• Take better control of wider attack surfaces. As attack surfaces increased during the pandemic, many organizations failed to effectively expand their security net. For example, only 26% of the organizations use multi-factor authentication across the board, while just 31% use analytics to monitor the security activities of their users.
• Measure your security performance. Organizations that monitor six or more different security metrics see fewer breaches and respond more quickly to attacks.