Monthly Archives: July 2024

2024 Cybersecurity Threat and Risk Management Report

The threat landscape keeps breaking records as it becomes more volatile and complex. Most organizations are experiencing data breaches and security incidents; what’s more, they are also reporting an increase in frequency. Sixty-one percent of organizations represented in this research had a data breach or cybersecurity incident in the past two years and 55 percent of respondents say they have experienced more than four to five of these incidents.

The purpose of this research, sponsored by Optiv,  is to learn the extent of the cybersecurity threats facing organizations and the steps being taken to manage the risks of potential data breaches and cyberattacks. Ponemon Institute surveyed 650 IT and cybersecurity practitioners in the US who are knowledgeable about their organizations’ approach to threat and risk management practices.

In the past 12 months 61 percent of respondents say cybersecurity incidents have increased significantly (29 percent) or increased (32 percent). Only 21 percent of respondents say incidents have decreased (13 percent) or significantly decreased (8 percent).

The following is a summary of the most salient research findings

An enterprise-wide Cybersecurity Incident Response Plan (CSIRP) is an essential blueprint
for navigating a security crisis. A CSIRP is a written and systematic approach that establishes
procedures and documentation and helps organizations before, during and after a security
incident. Despite the importance of such a plan, less than half of respondents (46 percent) say
their organizations have a CSIRP that is applied consistently across the entire enterprise.
Twenty-six percent of respondents say their CSIRP is not applied consistently across the
enterprise and 17 percent of respondents say it is ad hoc. Of those organizations with a CSIRP, only 50 percent say it is effective or highly effective. To improve its effectiveness, CSIRPs need to be applied consistently throughout the organization. This would ensure that should a data breach occur the response activities would be uniform and not siloed based on the different functions having different CSIRPs.

To determine if the plan can deal with incidents that are increasing in frequency and severity, the CSIRP should be regularly reviewed and tested. However, only 23 percent of respondents say the CSIRP is reviewed and tested each quarter and 44 percent of respondents say it is reviewed twice per year (29 percent) or once per year (15 percent). Only 48 percent of respondents say it is tested by a third party.

Proof that investments in technologies and resources are effective in reducing security
incidents determines how much to allocate to the cybersecurity budget. An average of $26
million was allocated to cybersecurity investments in 2024. To calculate how much to allocate to
the 2024 budget for cybersecurity budgets, organizations focus on evaluating the proven
effectiveness of investments in reducing security incidents (61 percent of respondents),
assessing the threats and risks facing the organization (53 percent of respondents) and analyzing the total cost of ownership (48 percent of respondents). Only 36 percent of respondents say there is no formal approach for determining the cybersecurity budget.

More resources are allocated to assessing the effectiveness of organizations’
cybersecurity processes and governance practices. The 2024 cybersecurity budget is being
used to conduct an internal assessment of the effectiveness of their organizations’ security
processes and governance practices (60 percent of respondents), to increase resources
allocated to Identity and Access Management (58 percent of respondents), to purchase more
cybersecurity tools (51 percent of respondents) and to hire more skilled security staff (49
percent).

Compliance practices and cybersecurity insurance are considered the most important
governance activities. Fifty-two percent of respondents say the most important cybersecurity
governance activity is to conduct internal or external audits of security and IT compliance
practices. The second and third most important governance practices are the purchase of
cybersecurity insurance (46 percent of respondents) and establishment of a business continuity
management function (42 percent of respondents).

Cybersecurity insurance is difficult to purchase because of insurers’ requirements. Only
29 percent of respondents say their organizations have cybersecurity insurance. Forty-eight
percent of respondents say they plan to purchase cybersecurity insurance in the next six months (23 percent) or in the next year (25 percent of respondents). Fifty-two percent of respondents say it is highly difficult to purchase cybersecurity insurance because of the insurer’s requirements.

Insurers often require having certain policies and technologies in place such as regular scanning
for vulnerabilities that need to be patched, adequate staff to support cybersecurity programs and policies and multi-factor authentication required for remote access. The ability to reduce the time to detect, contain and recover from a data breach measures the effectiveness of cybersecurity threat and risk management programs. The metrics most often used to report on the state of the cybersecurity risk management program are the time to detect a data breach or other security incident (47 percent of respondents), time to contain a data breach or other security incident (43 percent of respondents) and time to recover from a data breach or other security incident (41 percent of respondents). An enterprise-wide CSIRP is valuable in enhancing the ability to respond quickly to a data breach.

Too many cybersecurity tools are hindering a strong cybersecurity posture. Organizations
in this research have an average of 54 separate cybersecurity technologies. Forty percent of
respondents say their organizations have too many cybersecurity tools to be able to achieve a
strong cybersecurity posture. Only 29 percent of respondents say their organizations have the
right number of cybersecurity tools. Not only are there too many tools, only 51 percent of
respondents rate these technologies as highly effective in mitigating cyber risks.

Technology efficiency and integration are key to achieving the right number technologies.
To have the right number of separate security technologies, 53 percent of respondents say it is to make sure technologies are used efficiently and 51 percent of respondents say it is to make sure the data is integrated across the technologies deployed.

The primary technologies deployed are network firewalls (NGFW) and intrusion detection
prevention (IDS/IPS), according to 58 percent of respondents. Other technologies most often
deployed are endpoint antivirus (AV) and anti-malware (AM) (51 percent of respondents),
cloud/container security (50 percent of respondents) and endpoint detection and response (EDR) (48 percent of respondents).

Organizations are investing more in cloud services that go beyond traditional on-premises
security methods. A SASE (secure access service edge) or Security Service Edge (SSE)
architecture combines networking and security as a service function into a single cloud-delivered service at the network edge. Forty-six percent of respondents say their organizations have implemented SASE and of these respondents, 42 percent of respondents say their organizations engaged a third party or system integrator to support the SASE or SSE implementation.

According to the findings there is significant interest in Security Orchestration Automation
and Response (SOAR) adoption. SOAR seeks to alleviate the strain on IT teams by
incorporating automated response to a variety of events. Seventy-three percent of respondents
say their organizations use SOAR significantly (38 percent) or moderately (35 percent).
Cybersecurity use cases for artificial intelligence (AI) and machine learning (ML) models
are on the rise. A ML model in cybersecurity is a computational algorithm that uses statistical
techniques to analyze and interpret data to make predictions or decisions related to security.
Forty-four percent of respondents say their organizations use AI/ML to prevent cyberattacks and to maintain competitive advantage (49 percent of respondents) and to support their IT security team (40 percent of respondents). To ensure that AI/ML reduces cybersecurity risks and threats, 59 percent of respondents say they use AI vulnerability scanning, an AI firewall (52 percent of respondents) and adversary TTP training for security staff (47 percent of respondents).

To read best practices of high performing organizations, and the rest of this report, download it from Optiv’s website.

Cybercrime adds a new, very dangerous twist — face-to-face meetings

Bob Sullivan

We often think of cybercrime as a long-distance nightmare.  A victim is manipulated by someone pretending to be a lover, or a boss, or a seller, and then sends that criminal money using some electronic, virtual method.  A really disturbing trend I’ve noticed recently is the increased frequency of in-person meetings as part of a cybercrime.  A criminal visits the victim to pick up cash, or even gold, at their home (like this story we did in March). A criminal sends an Uber delivery person to pick up a  “package” that contains fraudulent payments. A victim is lured into a meeting over a Facebook Marketplace purchase, then robbed. Or, in the case of a recent Perfect Scam podcast I worked on, a con artist lurks at a “zone of trust” place like a golf course or a church looking for generous people to target with a charity scam.

This in-person meeting trend is alarming because a lot more things can go wrong when criminals are in the same physical space as their victims.  Earlier, I told you about the tragic story of an Ohio man who had been communicating with criminals attempting to commit a “grandparent scam”  and shot an Uber driver that he said he believed was part of the scam; he has been indicted for murder and pleaded not guilty. The driver, who died, was not a part of the scam.

Steve Baker, a longtime consumer advocate and former Federal Trade Commission lawyer, first pointed out this trend to me, and now I’m seeing it in many places. The Social Security Administration issued a dire-sounding warning a few weeks ago titled “Don’t Hand Off Cash to ‘Agents.’ ”   It reads:

“The Social Security Administration (SSA) Office of the Inspector General (OIG) is receiving alarming reports that criminals are impersonating SSA OIG agents and are requesting that their targets meet them in person to hand off cash. SSA OIG agents will never pick up money at your door or in any type of exchange. This is a SCAM!

NEVER exchange money or funds of any kind with any individual stating they are an SSA OIG agent. This new scam trend introduces an element of physical danger to scams that never existed before.

Meanwhile, police in New York are warning about a rise in crimes that begin as fake Facebook Marketplace ads — and end with victims staring down the barrel of a gun.

Why are cybercriminals getting this bold and meeting victims in person, or sending someone else to do that?  It’s too early to tell, but part of the reason *could* be increased transaction scrutiny at places like Zelle or cryptocurrency exchanges, along with increased fraud awareness around gift cards.  Time will tell.

In the meantime, I’m very concerned we will see more situations like that story from Ohio. Please be extra vigilant when speaking with loved ones about cybercrime.  Look and listen for signs of surprising new friends or unexpected meetings. Keep those lines of communication open.