A new study finds that due to the growing threat surface from hybrid work and third-party vendors, only half of organizations have the budget to meet current cybersecurity needs.
With the tech sector downsizing, with headliners like Amazon, Microsoft, Meta, Google and Salesforce, Coinbase, Crypto.com, Lyft, Netflix, Intel and many more, companies are facing 2023 with a thin bench of security experts and tighter budgets.
SEE: How to recruit and hire a Security Analyst (TechRepublic Premium)
Results from a bimonthly online poll of security pros across EMEA and the US by the Neustar International Security Council suggests that few organizations think they have sufficient defenses across their threat surfaces, and only half of respondents said they have sufficient budgets to meet their security needs. Only one in 10 admit they are prepared to protect only their most critical assets.
Security teams asked to do more with less
Carlos Morales, senior vice president of solutions at Neustar Security Services, acknowledged in the study that IT teams are stretched thin as threat surfaces expand, and they are compelled to take on new responsibilities and field new initiatives — while facing personnel shortages.
“With mounting budget pressures, IT and security teams are once again being asked to do more with less, which will likely accelerate the adoption of service-based offerings that allow enterprises to flexibly scale up resources based on demand,” Morales said.
Third-party providers widen the threat surface
Eighty-five percent of respondents said hybrid working has increased their organization’s reliance on third-party providers for outsourcing staff and resources, and 78% said this development has left their organization more exposed to attacks.
Respondents rated distributed denial-of-service attacks as the greatest perceived threat (22%) followed by system compromise (20%) and ransomware (18%), with 87% of respondents reporting that their organization has been on the receiving end of a DDoS attack at some point.
A majority of enterprises polled said they outsource their DDoS mitigation, and most (60%) take between 60 seconds and five minutes to initiate mitigation.
In the survey of business managers and senior directors, CTOs and other professionals, only 34% of respondents said they believe their current cybersecurity strategy is very adequate, with about 60% considering it to be somewhat adequate.
SEE: Mobile device security policy (TechRepublic Premium)
Leaders worry about increasing sophistication of attacks
In addition to doubts about enterprise security strategies, 35% of respondents said their organization’s cybersecurity budget would remain the same or decrease in 2023, and 44% of these individuals believe their business will be more exposed and at risk as a result.
When survey participants were asked to identify the most significant current risks to their organization’s IT security posture:
- The top concern was the increased sophistication of attacks, a sentiment shared by 60% of respondents.
- The increased activity of attackers, mentioned by 54% of respondents, was the second most prevalent concern.
- Budget constraints and a larger attack surface from an increasingly borderless business operation were each mentioned as concerns by 35% of respondents.
- 27% of respondents pointed to resource shortages, such as talent, security skills gaps and burnout.
- 19% of those polled cited too many tools and alerts to manage as a risk.
A large majority of respondents agree that C-suite and board-level decision-makers understand the current security threats their business is facing (83%), recognize the importance of having a multilayered defense strategy (81%), and make protecting the organization an integral part of business operations (80%). However, a significant share of participants (69%) are also concerned that current budget constraints are limiting the use of new strategies, technologies and implementation practices.
When asked which threat vectors they felt were on the rise, ransomware was most cited (75%), followed by phishing (74%), DDoS attacks (72%), and targeted hacking and social engineering via email (71%).
Resiliency includes bringing CISOs to the C-Suite
Based on a recently released World Economic Forum survey-based study, over half of cyber leaders meet with business leaders monthly, or more frequently, to discuss cyber-focused topics. The benefits are powerful, based on respondents at companies who follow this practice, as it puts the spotlight on cybersecurity priorities.
The WEF survey found that, of the respondents who meet at least monthly, 36% are confident their organization is cyber resilient. Only 8% of those respondents report that their organizations either are not cyber resilient or that they are concerned about their organization’s ability to be cyber resilient.
The WEF study also suggests that a direct conversation between CISOs and business decision-makers can have a healthy influence on cybersecurity budgets, but a third of cybersecurity leaders polled ranked gaining leadership support as the most challenging aspect of managing cyber resilience.
Upskilling will be a critical component of reverse-engineering attacks, and capping zero-day vulnerabilities and more. Consider downloading these tools for becoming an ethical hacker and reaping the benefits.