Although nearly 70 percent of organizations by one measure were hit by a cyber attack in the last year, a lack of visibility remains high, threat detection is problematic, false alarms cost time and money and most eschew endpoint security, a new study found.
Security provider Sophos, through a third-party interviewer, surveyed 3,100 IT decision makers between December, 2018 and January, 2019 in organizations ranging from 100 users to 5,000 users and came up with a report it calls 7 Uncomfortable Truths of Endpoint Security.
This is what Sophos concluded from the data:
Truth #1: More than two-thirds (68%) of organizations say they were hit by a cyber attack in the last year.
- Most threats (37%) are discovered on the server. Modern attacks often start at endpoints before moving laterally to servers, the higher-value targets.
- Larger organizations suffered more attacks (73%) than smaller ones (63%).
- Larger organizations are likely targets for cyber criminals because they are believed to be more lucrative scores.
- Larger organizations are usually more aware that they’ve been hit by a cyber threat.
“These are just the attacks that organizations have discovered. The actual number could well be higher,” Sophos said.
Truth #2: IT teams lack visibility into attacker dwell time.
- In the last year, the average amount of time it took an organization to discover the most significant cyber attack was 13 hours.
“Clearly 13 hours is a huge amount of time for a hacker to have uninterrupted access to your systems and data. In this amount of time, a cyber criminal can wreak significant damage, including exfiltrating sensitive data, stealing credentials, installing money-stealing Trojans, installing ransomware, and more,” the report reads.
Truth #3: IT teams can’t plug their security gaps because they don’t know what they are.
- One in five IT managers are unaware how their most significant cyber attack entered their organizations.
- Larger organizations are more likely to know how threats got in than smaller ones. They likely have more skilled resources and more comprehensive cybersecurity solutions than smaller companies.
Truth #4: Organizations lose 41 days each year investigating non-issues.
- Organizations spend, on average, four days a month investigating potential security issues, or 48 days a year.
- Only 15% turn out to be actual infections.
- As a result, organizations are spending 85% of their time investigating non-issues, or about 41 days a year.
Truth #5: Four out of five organizations are struggling with threat detection and response mostly due to a lack of security expertise.
- 80% of IT managers wish they had a stronger team in place to properly detect, investigate, and respond to security incidents.
- Of organizations hit by a cyber attack, 85 percent want a stronger team. Of those not hit by a cyber attack, 71 percent want a stronger team.
Truth #6: More than half of organizations don’t see the value of their endpoint detection and response (EDR) solutions.
- More than nine out of 10 IT managers surveyed (93%) either have or plan to have EDR in their security arsenals.
- Of those who don’t currently have EDR, 89% intend to add it to their defenses soon while 61% plan to do so within the next six months.
Truth #7: Cyber victims learn the hard way. Organizations victimized by a cyber attack in the last year are:
- More cautious – they investigate twice as many incidents as other organizations.
- Spend more time on cybersecurity – about four days a month investigating potential incidents, rather than three for non-victims.
Sophos also has some EDR recommendations:
- While EDR is a powerful tool that can elevate your cyber defenses, you need to have the resources in place to use it effectively and get the most from your investment. Unfortunately, for 54% of organizations, EDR was money wasted as they are unable to get full benefit from their solutions. As a result, every organization should fully consider both the capabilities and usability of an EDR solution before adding it to their security arsenal.
- Organizations should start from the assumption that a threat will make its way through their defenses. They should also be mindful of the limitations to their visibility into threats and their resulting inability to identify and block the gaps in their security armor.
