Companies across all sectors were caught off-guard as cyber-attacks surged throughout the pandemic, it exposed a lack of security maturity and the need to find strategies to ensure better security outcomes for the new normal.
The 2022 Thales Data Threat Report examines the impact that recent events have had on how organisations perceive the current effectiveness of their cybersecurity strategies as well as the security risks and threats they face. Fielded in January 2022, the report is based on a global survey of 2,767 security and IT management professionals.
How COVID-19 Continues to Shape the Cybersecurity Landscape
Over the course of just two years, the COVID-19 pandemic forced some radical shifts in the business landscape. It changed how we work and the technologies we use to execute daily business activities. These changes have led to massive disruptions regarding the traditional approach to business cybersecurity.
Work from home policies and a surge in various types of cybercrime have forced businesses to adapt their cybersecurity infrastructure, policies, and mindset. Traditional cybersecurity perimeters are no longer valid, and a remote workforce has exacerbated many existing security weaknesses.
The simultaneous, or resultant, surge in cybercrime has forced businesses to respond. Not only by investing in new cybersecurity technologies and human resources but also by viewing cyber-attacks as inevitable. The latter is especially poignant as cybercrime has not tapered off at the same speed as it surged at the beginning of the pandemic.
The underlying trends are not likely to change soon.
Businesses remain aware of the heightened threat level of the new normal, 79% of respondents say they are still ‘somewhat’ or ‘very concerned’ about the security risks that a remote workforce poses. And 40% admit that they are not confident that their current security systems could effectively secure remote work.
Remote Work and Its Implications for Cybersecurity
If anything, remote work will become even more widely accepted as a necessary way of doing business. The workplace is becoming increasingly dispersed geographically and through workload distribution across a growing number of SaaS (Software-as-a-Service) apps and multi-cloud infrastructures.
This disbursement greatly expands the business cybersecurity perimeter and diffuses security controls. What’s more, cyber attackers have had growing success targeting businesses via the supply chain and asset management infrastructure.
Most agree that managing privacy and data protection in cloud environments is more complex than in on-premise networks.
The higher incidence of high-profile cyberattacks, like Hafnium, Log4J, and Conti RaaS, shows the level of threat businesses are under. In 2022, 43% of senior leaders reported an increase in attacks from the previous year.
It’s telling that, at the same time, 28% of leaders would not entrust their organisation with their personal data.
What are the Main Security Threats Facing Businesses?
Talking with stakeholders actively involved in business cybersecurity yields some interesting insights into the current threat landscape and forward-looking perceptions that shape the decisions business and cybersecurity leaders are making.
Crucially, 45% of respondents experienced an uptick in the volume, severity, or scope of cyberattacks over 12 months. Unsurprisingly, 56% of respondents ranked malware as the leading source of cyberattacks. Ransomware was a close second with 53% of the vote, with phishing/whaling in third with (40%). This has remained essentially unchanged from the previous year.
It’s also interesting to see how the perception of where threats come from has changed. In 2021, malicious insiders were considered the top-ranking threat by 35% of respondents. Human error was close behind with 31%, and nation-states were much further behind with only 12%.
That has almost entirely flipped on its head. In alignment with what we know of security risks in remote working environments, 38% now see human error as the top-ranking threat. Due to the rise in geopolitical tensions as well as a number of major global cybersecurity incidents, such as the SolarWinds and NotPetya attacks, nation-states surged up to 28%. Only 14% of respondents still consider malicious insiders as a top-ranking threat.
Perceptions regarding what is under attack have also shifted. In the previous year, the third-party network was the primary concern of 25% of respondents. This year, cloud storage (33%), cloud databases (32%), and cloud-delivered hosted applications (28%) were the top priorities.
Ransomware and the Impact of Security Breaches
Ransomware continues to be one of the most significant cybersecurity threats facing organisations. 21% of organisations experienced a ransomware attack in the past year, according to the study. In 43% of attacks, the victim organisation was significantly impacted.
As largely financial-motivated cyber-attacks, ransomware can cause major financial damage to victims. However, the true costs of a ransomware attack are often misunderstood.
So, what do the actual economics of a ransomware breach look like? It might not be what you expect:
- 23% of respondents stated that financial costs from penalties, fines, and legal expenses would have the largest impact
- 19%, 18%, and 16% felt that lost productivity, recovery, and breach notification costs were the most impactful
- Soft, long-term costs, such as brand reputation (11%) and customer loss (7%), had a much lower perceived impact
Therefore, it is no surprise that 22% of respondents say they have, or would, pay a ransom for their data.
However, ransomware is not the only significant security breach threat facing companies. 52% of organisations discovered a past breach, while 35% were breached in the last year.
The ability to successfully avoid breaches seems to track alongside that of an organisation’s compliance record. Of the 57% of respondents who have passed compliance audits, 40% have previously experienced a breach, while only 18% have experienced one in the last year. There seems to be a correlation between investment in improving compliance and security breach outcomes.
Cloud Adoption
Cloud adoption continues to grow in the wake of the COVID-19 pandemic and the coming of the remote work era, in fact it appears to have accelerated the adoption of cloud-based infrastructure.
As many as 40% of respondents say that between 41-60% of their sensitive data is in the external cloud. A further 20% have 60% or more of their sensitive data in the cloud. Unfortunately, while the amount of data stored in the cloud is increasing, the encrypted share of data is growing at a much slower pace. Only 22% of respondents have more than 60% of their cloud-based data encrypted.
The result is that 44% report either experiencing a breach or failing an audit in their cloud environments.
So, why aren’t organisations using such a tried-and-trusted method to secure their cloud data? One of the issues could be that only 48% of organisations have a central-defined security policy. The majority leave the technical standards and enforcements to individual teams, leading to a lack of organisation-wide compliance.
Three challenges seem to be the main contributors to the lack of maturity in cloud data security:
- Limited use of encryption
- Perceived or experienced multi-cloud complexity
- The rapid growth of enterprise data.
Now, let’s look at some underlying trends that are shaping cybersecurity in the cloud.
Multi-Cloud Strategy
With the proliferation of cloud technologies and services as well as the growing adoption by businesses, it’s no surprise that organisations are already leveraging multiple cloud providers. AWS seems to be the most widely-used IaaS (Infrastructure-as-a-Service) provider, employed by 48% of respondents. Microsoft Azure was a close second at 47%.
Organisations are diversifying their IaaS portfolios, leading to significant overlap between various cloud providers. Other widely used IaaS providers are Google Cloud, IBM Cloud, Oracle, and Alibaba.
In 2021, 16% of respondents used more than 50 software-as-a-service (SaaS) apps. In 2022, that percentage has grown to 34%, with 16% using more than 100 SaaS apps. An additional 4% of organisations use more than 500 SaaS apps.
Of course, increased complexity in multi-cloud environments leads to many potential cybersecurity concerns. How do organisations consistently apply security policies across multiple cloud vendors as well as individual teams? How do you manage security keys, tokens, and encryption within cross-platform ecosystems?
51% of respondents agree that managing privacy and data protection in the cloud is more complex, and, each new cloud solution that joins a multi-cloud environment contributes to that complexity growing.
Zero-Trust
Zero-trust security policies seem uniquely suited to addressing the modern-day challenges organisations operating in the cloud face. Zero-trust promises the ability for more fine-grained, automated security controls to manage dynamic remote access and implement software-defined perimeters.
Unfortunately, implementing zero-trust does not seem to correlate with a lower incidence of breaches. Of the 44% of respondents with no formal zero-trust strategy, 31% experienced a breach in the past 12 months. Of the 30% of those with a formal zero-trust strategy, 41% experienced a breach.
Despite that, a growing number of organisations are shaping their cloud security strategies around zero-trust network access policies.
Zero-trust is undoubtedly a non-negotiable framework for securing organisations in the cloud by limiting access from unauthorised external users. However, for now, the positive effects of zero-trust network access seem to be overshadowed by other challenges relating to the complexity of cloud environments.
Data Protection Management Strategies
Both data encryption and tokenisation are key elements in pursuing effective data protection measures. However, once again, the complexity and divergent nature of cloud environments are creating challenges in effectively implementing and managing these security measures.
41% of organisations deploy five to seven key management products, while 14% employ eight. Organisations seem to accrue various key management products due to how cloud systems organically grow and change with time. Mergers and acquisitions, changes in hardware or software systems, and the different approaches used by independent teams all contribute to the complexity.
This also leads to the use of cumbersome and unsafe management practices, such as static documents and spreadsheets which in turn, increases the risk of errors and the time and effort needed to manage them.
Furthermore, fewer organisations use key management (52%) than encryption (59%), this may be another sign of a lack of security maturity, as using encryption without key management is associated with its own security risks.
It’s clear that, for key management to be truly effective, it needs to be implemented in a simple, scalable, and user-friendly way.
Misalignment Between Spending and Reality?
While awareness of the security risks posed by the current cybersecurity landscape is improving, it does not seem to be consistently backed up by action. For example, while most organisations rank the cloud as a priority target, many still fail to mitigate the threat using measures such as encryption and MFA (multi-factor authentication).
Ransomware is another good example. Despite the threat posed by ransomware, only 48% of businesses have a formal ransomware plan. Even companies with the means to do so lag in implementing a formal ransomware plan, with only 50% of those with annual revenue above $1 billion having one.
Healthcare and energy businesses have been particularly hard-hit, but only 56% of healthcare and 44% of energy companies have a formal ransomware response plan in place.
Neither of these findings tracks with reality, according to 451 Research’s Voice of The Enterprise: Storage, Data Management & Disaster Recovery – Advisory Report. It found that 62% of enterprises feel either “very” or “extremely” confident in their ransomware recovery capabilities.
Furthermore, 41% of respondents have no plans to change their security spending, even if ransomware attacks increase.
It’s Not All Bad News – Businesses are Stepping Up Their Cybersecurity Posture
While in 2021, 45% of businesses protected 41% of their sensitive cloud data using encryption, 51% achieved the same level of encryption in 2022. 19% of respondents in the financial sector indicated that 80% of their sensitive cloud data is encrypted.
While these are small steps in the right direction, there is still a long way to go.
How we can help
It is clear that there remains work to be done in data identification, classification and protection in the context of the shifting threat and risk landscape. Specifically, organisations need to:
- Support and scale remote working models effectively
- Secure data throughout its lifecycle and across applications
- Span the full breadth of hybrid infrastructure
- Provide the visibility to support and inform operations while delivering the assurances that governance and regulatory commitments require
Mobliciti and Thales can help you to achieve this and ensure your cloud data remains protected, get in touch to find out more.
