Most (88%) businesses in the UK have suffered a barrage of security attacks in the last year, resulting in many now investing heavily in threat detection as well as prevention, rather than cure post-event.
On average, each firm experienced 3.67 breaches during 2018, according to research by Opinion Matters, commissioned on behalf of cloud-based endpoint security firm Carbon Black and carried out across 250 C-level decision makers in January this year.
This average is much higher in the public sector, with all respondents from government and local authorities saying they had been breached in that period, with 4.65 breaches each and some 40% saying they've been breached more than five times in 2018.
The research found that, across the board, the attacks themselves are growing in volume and ferocity, forcing organisations to change the way they look at the threat landscape and how they respond to it proactively as well as reactively.
"I think it is possible to be in a spot that is defensible for the things that matter with the spend you have. What I see far too often, though, is misidentification of the assets that are critical and then an unrealistic threat profile," said Rick McElroy, head of security strategy at Carbon Black.
"It's people, process and technology. Having enough time to create that culture to educate other leaders in the organisation [is key]. They're not very well educated. They might be aware, but they're not very educated on the subject."
McElroy added: "My caution to leaders and people in defence is that you can't cry wolf and ring bells all the time. It's just not appropriate. But, creating a realistic conversation around the threats and where you invest to defend against those, that's where we need to educate more people in a company to create that culture of security. It makes it sticky in that organisation so that if you fast-forward 10-15 years after the leader who created the culture, the company is still going to have that culture of security. They will probably be more successful in defending against things and probably have fewer incidents."
Malware was cited as the most commonly encountered type of attack, with ransomware in second position. One in five successful breach attempts came about as a result of phishing, highlighting the importance of basic security hygiene as well as more sophisticated responses to the threats.
Humans continue to be the weakest link when it comes to security, but they also hold the power when it comes to shoring up defences, too, according to McElroy.
Almost two-thirds (60%) of businesses said they now actively threat hunt, with just over a quarter of them having been engaged in this activity for at least a year. The majority (95%) said this approach has made their security much more robust and effective.
"If I have a team that actively goes out and looks for bad activity in my environment, typically what will happen is one of two things You're going to find bad activity or you're not. But, while you're out hunting, you're able to identify areas of weakness. That might be logs you don't have or data you're missing," McElroy added.
"You're seeing threat hunters making programmes proactive and more agile so they can decrease how long it takes to make changes and do that in a more rapid fashion, which helps them disrupt the attackers."
Outside of threat hunting and increased investment, it's absolutely key that the industry continues to share knowledge and experiences of incidents, while also ensuring greater dialogue and transparency between the IT and business functions within an individual organisation.
"The job of security is to keep the train on the tracks moving as fast as possible. In my humble opinion, there's been a wave of leaders who decided to say no' - who didn't really look at the business to enable them but instead looked at everyone in the business as a risk," McElroy said.
"That's the wrong approach. It's much better to give someone something new that's secure before you take something away. If you take it away, they're not going to like you very much and are probably not going to participate in your programme."
