A year ago, we talked about the UK responses from our annual CISO Benchmark Study; which asks hundreds of UK Cybersecurity leaders how they’re currently tackling issues, and what the impact has been over the last year.
The main conclusion from 2018 was that the majority of organisations in the UK were suffering from cybersecurity fatigue (defined as virtually giving up from proactively staying ahead of malicious threats and actors), and more needed to be done to encourage companies to get more out of what they have already got, get it connected, and remove tools that don’t work together.
This would help with managing alerts and false positives, and also develop a more “front foot” approach that would help with larger downtime figures and associated costs than the global average.
So how has the last year panned out? Here are the 2019 stats for the UK from Cisco’s CISO Benchmark Story. At the end of this blog, we offer some recommendations for defenders based on this year’s findings.
Firstly, let’s take a look at cybersecurity fatigue levels (defined as virtually giving up on trying to stay ahead of malicious threats and actors). In 2018, 63% of UK organisations said they were suffering from burnout. In 2019, this figure has decreased dramatically to 24%, which is less than the global average of 30%.
Do you believe that your organisation is suffering from cyber fatigue?
UK | Global | |
Yes | 24% | 30% |
No | 76% | 70% |
Consolidating vendors, managing less alerts, and working on solving the talent gap problem (all covered in these stats) may well be contributing to this vast turnaround over the last year.
To what extent does your company employ a defence-in-depth approach for internet-controlled sensors or IoT devices?
1 = Not at all
5 = A great extent
UK | Global | |
1 | 0 | 0 |
2 | 0 | 0 |
3 | 9% | 12% |
4 | 18% | 52% |
5 | 73% | 35% |
The UK is considerably more prepared for the rise in IoT threats. VPN Filter last year was a good example of this type of threat.
To what extent do you agree or disagree with this statement:
My organisation’s executive team has established clear metrics for assessing the effectiveness of our Security program:
UK | Global | |
Strongly disagree | 2% | 1% |
Somewhat disagree | 5% | 4% |
Somewhat agree | 44% | 36% |
Strongly agree | 50% | 59% |
94% of UK organisations have clear metrics for assessing the effectiveness of Security programmes, although less are in the ‘strongly agree’ column than worldwide.
Thinking about your most severe data breach in the last year, how long were your systems down for?
UK | Global | |
0 hours | 6% | 6% |
Less than 1 hour | 17% | 12% |
1-4 hours | 23% | 27% |
5-8 hours | 29% | 25% |
9-16 hours | 14% | 18% |
17-24 hours | 8% | 8% |
More than 24 hours | 3% | 4% |
No security breaches in the last year | 2% | 1% |
In the UK, 23% of breaches resulted in downtime of less than an hour. This is better than the global average, which is 18%. 43% of UK organisations were down between 5 and 16 hours.
The UK’s figures overall are very similar to the rest of the world, which is an improvement on last year, when 68% of British companies had to manage an outage of more than 5 hours due to a breach (vs. 58% global).
What sort of business areas or relationships, if any, were most negatively impacted by security breaches which your organisation has managed in the past year?
UK | Global | |
Brand Reputation | 41% | 32% |
Intellectual Property | 26% | 26% |
Finances | 30% | 28% |
Operations | 22% | 36% |
Legal Engagements | 22% | 21% |
Customer Retention | 28% | 33% |
Business Partner Relationships | 22% | 23% |
Supplier Relationships | 36% | 24% |
Regulatory Scrutiny | 26% | 23% |
Brand reputation and supplier relationships appear to affect UK organisations more so than other countries.
What type of improvements were made to better protect your company from security breaches?
UK | Global | |
Hired or created CISO position | 37% | 34% |
Established formal set of policies and procedures | 31% | 34% |
Established compliance/ risk management office | 38% | 33% |
Formed a team that specialises in Security | 31% | 37% |
Separated Security team from the IT department | 31% | 35% |
Increased investment in security defence technologies/ solutions | 47% | 44% |
Increased investment in the training of Security staff | 43% | 40% |
Increased security awareness training among employees | 52% | 39% |
Automated security defences | 32% | 36% |
Increased focus on risk analysis and risk mitigation | 46% | 39% |
Increased focus on preventing security breaches caused by employee-owned mobile devices | 35% | 36% |
Increased enforcement of data protection laws and regulations | 32% | 37% |
The UK was slightly more likely to hire a CISO after a severe breach, which means more strategy, and more time in the boardroom for Security. The UK spent more time training employees to spot security threats than other countries.
Hiring a CISO and having strong leadership could well have contributed to the much improved cybersecurity fatigue levels.
To what degree is your organisation using AI to reduce the level of effort to secure the organisation?
1 = Not at all
3 = Somewhat reliant
5 = Completely reliant
UK | Global | |
1 | 4% | 3% |
2 | 9% | 6% |
3 | 31% | 26% |
4 | 35% | 36% |
5 | 20% | 30% |
The UK is less reliant on AI than the rest of the world, but still 86% are reliant in some way. Advanced capabilities in AI can enhance network security defences and, over time, “learn” how to automatically detect unusual patterns in web traffic that might indicate malicious activity.
Many security executives told us in the 2019 Security Benchmarks Capabilities Survey that they are frustrated by the number of false positives from their security infrastructure, since false positives increase the security team’s workload.
These concerns should ease over time as artificial intelligence technologies mature, and learn what is “normal” activity in the network environments they are monitoring.
To what degree is your organisation using Machine Learning to reduce the level of effort to secure the organisation?
1 = Not at all
3 = Somewhat reliant
5 = Completely reliant
UK | Global | |
1 | 4% | 2% |
2 | 8% | 6% |
3 | 33% | 26% |
4 | 39% | 40% |
5 | 15% | 27% |
The UK is less completely reliant on ML than the rest of the world, but 88% of organisations are reliant in some way.
Machine learning is useful for automatically detecting “known-known” threats—the types of infections that have been seen before. But its real value, especially in monitoring encrypted web traffic, stems from its ability to detect “known-unknown” threats (previously unseen variations of known threats, malware subfamilies, or related new threats) and “unknown-unknown” (net-new malware) threats.
The technology can learn to identify unusual patterns in large volumes of encrypted web traffic and automatically alert security teams to the need for further investigation.
That latter point is especially important, given that the lack of trained personnel is an obstacle to enhancing security defences in many organisations.
To what degree is your organisation using Automation to reduce the level of effort to secure the organisation?
1 = Not at all
3 = Somewhat reliant
5 = Completely reliant
UK | Global | |
1 | 3% | 1% |
2 | 4% | 3% |
3 | 28% | 21% |
4 | 41% | 40% |
5 | 24% | 35% |
The UK is very reliant on automation, with 93% reliant on it in some way. Tools for automation that provide network context can also give security analysts insight into potential leak path issues. In addition, implementing appropriate segmentation policies can help security teams quickly determine whether unexpected communication between networks or devices is malicious.
Such technologies are powerful tools for visibility, automation and insight, yet the advice is for organisations not to overlook traditional techniques, or the importance of people.
Self-propagating, network-based attacks like WannaCry and Nyetya could have been prevented (or at least had minimised impact) if more organisations had applied fundamental security practices such as patching, setting appropriate incident response processes and policies, and segmenting their networks.
How effective are the security tools in your organisation with regards to dynamically defending against shifts in adaptive threats?
UK | Global | |
Not at all | 0% | 0% |
Not very | 4% | 3% |
Somewhat | 28% | 25% |
Very | 51% | 49% |
Extremely | 16% | 23% |
The UK is well prepared to deal with adaptive threats, with 67% of organisations saying they are very or extremely prepared.
Which of these pose the highest obstacles to adopting advanced security processes and technology at your organisation?
UK | Global | |
Budget constraints | 39% | 35% |
Competing priorities | 35% | 26% |
Lack of trained personnel | 23% | 24% |
Lack of knowledge about advanced security processes and technology | 24% | 22% |
Compatibility issues with legacy systems | 28% | 27% |
Certification requirements | 23% | 24% |
Organisational culture/ attitude about cyber security | 19% | 21% |
Reluctant to purchase until they are proven in the market | 21% | 20% |
Current workload too heavy to take on new responsibilities | 27% | 22% |
Organisation is not a high value target for attacks | 11% | 16% |
Security is not an executive level priority | 10% | 13% |
Budget is the biggest issue for UK companies, followed by competing priorities, compatibility with legacy systems, and their current workload being too heavy to take on new priorities.
Interestingly, lack of trained personnel was one of the top concerns last year. This has now been reduced by almost 10%. Again, this may be contributing to much better cybersecurity fatigue levels.
To what extent do you agree with this statement – “Leveraging Cloud Security solutions allows us to be more effective than operating with on premise solutions.”
UK | Global | |
Strongly disagree | 1% | 1% |
Somewhat disagree | 7% | 7% |
Somewhat agree | 61% | 52% |
Strongly agree | 32% | 41% |
94% of UK organisations agree to some extent that leveraging Cloud solutions allows them to be more effective than on premise.
Which of these pose the biggest security risks for your organisation?
UK | Global | |
Proliferation of BYOD and smart devices | 22% | 19% |
Cloud computing | 22% | 25% |
Outsourcing of critical business to a 3rd party (and lack of control around 3rd party services) | 18% | 20% |
Viability of disaster recovery and business continuity | 18% | 19% |
Regulatory compliance constraints | 21% | 19% |
Advanced persistent threats | 31% | 30% |
Ransomware | 34% | 30% |
Targeted attacks | 39% | 37% |
Insider exfiltration | 25% | 24% |
DDOS attacks | 29% | 29% |
None of the above | 3% | 3% |
The UK is most concerned about BYOD and smart devices, which is perhaps why there is such a focus on protecting IoT threats. Even though the Cloud allows them to be more effective, the UK is worried about the Security implications.
This is good that the UK is concerned about this, as businesses can’t simply offload security responsibility by moving data to the cloud: They must still be knowledgeable about the security controls imposed by cloud providers as well as how potential breaches in the cloud might impact on-premises resources.
How many different security vendors are used within your security environment?
UK | Global | |
1-5 | 45% | 36% |
6-10 | 28% | 27% |
11-20 | 19% | 22% |
21-50 | 7% | 11% |
More than 50 | 2% | 3% |
The UK has made huge strides to consolidate their security infrastructures over the past year. In 2018, 35% of organisations were using more than 20 vendors, which was way above the global average. This year, only 9% are in that category.
Our industry is (thankfully!) moving from a point product solutions approach to more of a connected security solutions approach. Connected security doesn’t have to all come from one vendor – what’s crucial, for the sake of making our businesses safer, vendors must together to have their solutions working together in harmony. UK companies are currently using more vendors, but the emphasis should be on ensuring these vendors are connected.
Connected security means we can help our customers simplify their infrastructure, remediate attacks more quickly, and also mitigate the skills shortage because teams will be managing less interfaces. Sometimes there’s commercial gain in managing less vendors as well.
The crucial thing is to ‘use what you’ve got’ before replacing everything, and making sure that everything comes back to the problem you’re trying to solve. At Cisco we’re committed to third party integration so that our customers are better protected. The bad guys are working collaboratively and connected, so we need to make sure, as an industry, that we’re doing the same. Otherwise we will always be playing the hackers’ game, and having the rules dictated to us.
The fact that UK organisations have consolidated their infrastructures, and are receiving fewer alerts as a result, may well be contributing to better cybersecurity fatigue levels.
How challenging is it for you to orchestrate alerts from multiple vendors’ security products?
UK | Global | |
N/A – We don’t use products from multiple vendors | 3% | 2% |
Not challenging at all | 22% | 21% |
Somewhat challenging | 52% | 53% |
Very challenging | 26% | 26% |
78% of UK organisations find it challenging to manage security alerts from multiple vendors’ products.
On average, how many security alerts does your organisation see on a daily basis?
UK | Global | |
None | 6% | 7% |
Less than 5000 | 49% | 42% |
5001 – 10,000 | 18% | 17% |
10,001 – 50,000 | 10% | 12% |
50,001 – 100,000 | 9% | 9% |
100,001 – 150,000 | 4% | 6% |
150,001 – 250,000 | 2% | 4% |
250,001 – 500,000 | 1% | 3% |
More than 500,000 | 1% | 1% |
55% of UK organisations receive less than 5000 alerts every day. 19% receive between 10,000 and 100,000. 8% receive over 100,000 alerts every single day.
What percentage of your alerts are investigated?
UK | 50% |
Global | 51% |
The UK’s investigation levels have gone down from 58% to 50% this year (globally, this has gone down from 56% to 51%).
Of those that are investigated, what percentage turn out to be legitimate incidents?
UK | 19% |
Global | 24% |
Only 19% of alerts are legitimate, which suggests a lot of false positives.
What percentage of legitimate alerts are remediated?
UK | 39% |
Global | 43% |
Only 39% of actual security alerts are remediated, which means 61% of incidents are getting through the cracks.
Recommendations:
With the challenges that UK organisations are telling us they are experiencing from a multi-vendor environment, it might be pertinent to consider a Zero Trust approach.
This approach looks to simplify security by looking at three key areas:
- Workforce (protect your users and their devices against stolen credentials, phishing, and other identity-based attacks)
- Workload (managing multi cloud environments and contain lateral movement across the network)
- Workplace (gain insights into users and devices, identify threats and maintain control over all connections in your network).
To secure the workplace, zero trust starts with establishing a level of trust around the identity of the user and what they can access to work within the organisation’s environment. Having checked the device and authenticated the user, the next fundamental element is controlling what doors to what applications they can enter, and what is considered out of bounds.
The Zero Trust approach is about restricting a user so that they can only enter an area which is approved and relevant to their duties. This all needs to be done with minimal impact on the end user. Introducing difficulty into any security control area just breeds avoidance. What is appealing about the agile and flexible approach is its ability to bring new applications on board wherever they are found – whether running in the cloud, in a local data centre or a third-party application. No matter where the doors are, they can be open or shut from a central point based on a policy.
Streamlining your existing Security tools, and managing complexity
For many organisations, you’ve been forced to pick individual solutions from an industry that’s rife with incompatibility. This has put you on an endless treadmill of stitching up products that don’t easily fit together. And that’s on top of everything else—new regulations, board mandates, budgets, the revolving door of security talent. The grind never stops.
At the heart of your platform should be a simple idea: security solutions should be designed to act as a team. They should learn from each other. They should listen and respond as a coordinated unit. When that happens, security becomes more systematic and effective.
The crucial thing is to ‘use what you’ve got’ before replacing everything, and making sure that everything comes back to the problem you’re trying to solve. At Cisco we’re committed to third party integration so that our customers are better protected. The bad guys are working collaboratively and connected, so we need to make sure, as an industry, that we’re doing the same. Otherwise we will always be playing the hackers’ game, and having the rules dictated to us.