Chief Information Security Officers (CISOs) report successfully fending off more attacks despite facing agile and increasingly advanced adversaries with significant advantages, finds a new independent research study by Omnisperience for F‑Secure.

In interviews with 28 senior information security officers across the US, UK, and Europe, the professionals described threat landscape looks like a fractured workplace under constant assault. The CISOs felt forced to constantly manage a persistent ‘security debt’ and confront questions about what constitutes good security.

Attacks on the rise, employees targeted at home and in the office, but quality matters more than quantity

CISOs are eager to emphasize the distinction between a cyber attack and a cyber incident, and wish that others—especially the press and cyber security vendors—would clearly make the distinction.

A cyber attack is an attempt by an adversary – skilled or otherwise – to breach a system’s security policy to affect its integrity or availability, and/or the unauthorized access or attempted access to a system or systems. A cyber incident, however, is a successful attempt resulting in a breach of system’s security.

CISOs reported that the volume of attacks their teams fought off over the last 18 months has been increasing. But the number of incidents remained steady.

What explains the disparity? This could be because CISOs have made the right investments. However, it is the incidents that haven’t been discovered that may be the most worrisome. Because of the sophisticated nature of some of these attacks, organizations may not have the technology or people to identify they are in the middle of a compromise that, for example, may result in a ransomware deployment months down the road.

The top three threats encountered by the CISOs interviewed were:

1. Phishing
2. Ransomware
3. Business Email Compromise (BEC)

Attackers are now more likely to employ diverse vectors. Some of the following cyber attacks were cited as ongoing challenges for their security teams:

• Compromise and exploitation of remote workers aka ‘a trojan horse’;
• data leaks;
• DDoS;
• identity/credential/account compromise (via social engineering/phishing);
• Advanced malware (organized groups).

So which vulnerability are cyber criminals targeting most? The human one. Employees, along with everyone who works in a company’s supply chain, are still the primary attack vector.

Almost three-quarters (71%) of CISOs acknowledge that human fallibility remains one of their most pressing security concerns. Social engineering and phishing attacks are used to connect to employees, directly or indirectly. And no one is immune to an attempt—from receptionists to the C-level.

Fortunately, quantity does not equal quality. Most phishing attempts continue to be picked up by email and anti-phishing security products. Yet the changing nature of the workplace, especially during the pandemic, presents evolving challenges for CISOs.  Securing a more mobile and flexible office workforce comes with significant business risks, including:

1. The trojan horse
It’s easier to compromise corporate machines that are connecting from outside the network.. Once compromised these machines provide an access point to infect the rest of the network, creating the possibility of thousands of workers innocently exploiting the malware.

2. Hybrid
The continuous back and forth between business and social applications creates constant risk.

3. Contamination
Corporate computers used in the home, especially those used for non-work purposes, can be used for social engineering purposes, impacting the rest of the IT inventory, without ever entering the office. Once infected, these machines can then access the rest of the corporate network ala trojan horse.

The Security Debt

CISOs consistently mentioned they are having to run their operations with a ‘security debt’.  Attackers enjoy advantages over legitimate security pros – including time and freedom from regulation.

New security tools, initiatives to drive security-by-design into the early stages of new business projects, and internal security awareness have rarely been prioritized at appropriate levels. But CISOs recognize that this is the result of budget constraints, resource workloads, and priority of other business activities. No one gets into business just to have a network to defend. However, lots of criminals get into cyber crime because it pays.

Seventy-two per cent of the CISOs report that the adversaries they face clearly have advantages when it comes to speed. Why wouldn’t this be true? Criminals can attack from a distance, with more agility and resources compared to legitimate businesses that have regulatory constraints, fluctuating budgets and the need to balance security controls.

There is an overwhelming agreement that cyber criminals have increased their threat capabilities. Nearly all (96%) of the CISOs report they are facing a well-organized commercial industry that operates beyond the law.

Criminals write, update and can integrate their own code while CISOs generally lack the scale and resources to develop their own tools. This creates a critical dependency on security vendors and constant questions about which tools are the right fit for their organization.

What makes ‘good security?’

Being a defender is always a tough job. As one CISO said, “We have to win every day, for every attack, whereas the hacker only has to win once.” This predicament forces many CISOs to constantly reassess what constitutes ‘good security’.

Despite the growing sophistication of many criminal groups, CISOs also recognize that basic security processes—dealing with legacy technology and patching vulnerable systems—would protect against many of the threats they face. They acknowledge these steps are key to closing the gap with their adversaries.

Whether a result of the pushback they receive or the realities they face, most CISOs (71%) report that their own ideas about security have evolved.

However, this question is hotly debated. More than a quarter of CISOs, 29%, believe that good security is still the same as it ever was: focused on managing risks – especially where employees will always be a network’s weakest link – with the basics, rather than relying on new-fangled security technology. Others argue that good security has changed for the better, with more and more stakeholders recognizing its importance thanks to better outreach and training.

One thing all the CISOs agreed on was that they and their teams need to take more responsibility for any cyber incidents that affect the business. That responsibility exists, despite that growing numbers of attacks, limited resources and a constant debate about what they should prioritize. That, in short, is the CISO’s dilemma.

For tips on mitigating risks effectively, check out CISO’s New Dawn.