Organizations can only stop 57 percent of cyberattacks
Over the last two years, the average organization's cybersecurity program was prepared to preventively defend against, or block, just 57 percent of the cyberattacks it encountered. This means 43 percent of attacks launched are successful and need to be remediated after the fact.
This is among the findings of a new report from Tenable, based on a survey of over 800 IT and cybersecurity leaders carried out by Forrester Consulting.
For 58 percent of respondents the focus is almost entirely on fighting successful attacks rather than working to prevent them in the first place. This is put down largely to a struggle to obtain an accurate picture of their attack surface, including visibility into unknown assets, cloud resources, code weaknesses and user entitlement systems. Plus the complexity of infrastructure -- with its reliance on multiple cloud systems, numerous identity and privilege management tools and various web-facing assets -- brings with it many opportunities for misconfigurations and overlooked assets.
Respondents are particularly concerned with the risks associated with cloud infrastructure, given the complexity it introduces in trying to correlate user and system identities, access and entitlement data. 75 percent view cloud infrastructure as the greatest source of exposure risk in their organization. The highest perceived risks come from the use of public cloud (30 percent), multi cloud and/or hybrid cloud (23 percent), private cloud infrastructure (12 percent) and cloud container management tools (nine percent).
"Preventive security is no longer an optional approach to risk management, but a prerequisite," says Robert Huber, chief security officer and head of research at Tenable. "The scattershot firefighting by security organizations is a recipe for failure, especially with the expansion of the attack surface and exposure points caused by trends like cloud migration and AI. We're speaking with more and more organizations about the importance of proactively understanding and reducing risk, and this research underscores that many of them know this intuitively, but are struggling with headwinds that are often beyond their control. We hope to foster more collaborative discussion between stakeholders to simplify their practices and get to the risk data they actually need for faster prioritization and remediation."
Among other findings, 75 percent of respondents say they consider user identity and access privileges when they prioritize vulnerabilities for remediation, while 50 percent say their organization lacks an effective way of integrating such data into their preventive cybersecurity and exposure management practices.
In addition 57 percent say a lack of data hygiene prevents them from drawing quality data from user privilege and access management systems, as well as from vulnerability management systems. On average, it takes 15 hours a month to create reports for business leaders about the health of organizational security infrastructure.
The full report is available from the Tenable site.
Image Credit: Jurgen Priewe / Shutterstock