With new threat actors emerging every day and a growing number of cyber attacks making headlines, cybersecurity has become a critical business imperative. Security leaders face the dual challenge of needing to stay competitive in a rapidly evolving business landscape while also defending against increasingly serious cyber threats, reducing complexity, and facilitating their organization’s digital transformation.
To better understand emerging security trends and top concerns among Chief Information Security Officers (CISOs), Microsoft Security conducted a survey of more than 500 security professionals. Based on the responses we received, we developed five steps organizations can take to improve their cyber resilience in the process. Keep reading to uncover our insights.
- Embrace the vulnerability of hybrid work and build resilience
The move to hybrid work has forced businesses of all types into the cloud. According to one study, 82% of respondents said they had ramped up their use of cloud in response to the pandemic and the shift to remote work, with 60% saying their use of off-premise technologies had continued to grow since then.[1] This has resulted in more people working in difficult-to-defend environments such as within cloud applications, across platforms, on personal devices, and on home networks. Is it any surprise, then, that 61% of security leaders view the cloud as the digital feature that is most susceptible to attack and two out of three believe that hybrid work has made their organization less secure?
This concern is not unfounded given that 40% of all attacks in 2021 and half of all cloud attacks significantly impacted businesses. As such, cloud and network vulnerabilities have become the top security concern for security leaders — even ranking above malware. In particular, 45% of security professionals identified email and collaboration tools, both of which are frequently used for remote work, as their most vulnerable digital feature.
Microsoft’s research revealed that breaches due to cloud misconfiguration are just as common as malware attacks and are even more associated with significant damage to the business. While roughly half of cloud and IoT breach victims reported significant business impact in the form of operational downtime, sensitive data being stolen, and reputational damage, fewer than a third of malware and phishing victims suffered this level of damage. According to security decision-makers in our survey, about 40% of security breaches in the past year significantly impacted the business.
Organizations no longer have the opportunity to bunker down behind the walls of their internal corporate network. Instead, they must embrace vulnerability as a feature of the hybrid work environment and look for ways to minimize the business impact of attacks. One way to do this is by partnering with cloud experts. Securing the cloud is different from securing an internal network and can often be challenging. For this reason, it’s a good idea to have cloud security specialists on your team given that some of the main cloud vulnerabilities include administrator errors, such as misconfiguration and inconsistent implementation of security policies.
- Limit the impact of ransomware attacks
Cyber criminals are capitalizing on the corporate move to the cloud. In 2021, one in five businesses surveyed experienced a ransomware attack and roughly one-third of security leaders list ransomware among their top concerns. This is a well-founded fear given that ransomware breaches increased by 13% in 2021.[2]
Ransomware attacks can have a significant impact on businesses. While the financial aspects such as the cost of ransom, escalation, notification, lost business, and response are disruptive, it’s only part of the story. Forty-eight percent of ransomware attack victims in our study report that attacks caused significant operational downtime, exposure of sensitive data, and reputational damage. Furthermore, organizations that paid the ransom only recovered 65% of their data on average, with 29% getting back no more than half their data.
So, how can security leaders respond? Zero Trust is currently the gold standard. Because ransomware attacks come down to three primary entrance vectors — remote desk protocol (RDP) brute force, vulnerable internet-facing systems, and phishing — organizations can limit damage by forcing attackers to work harder to gain access to multiple business-critical systems.
Zero Trust principles like least-privilege access are especially effective at preventing attacks from traveling across networks and discovering valuable data. Zero trust can also be an effective method for addressing human-operated ransomware.
- Elevate cybersecurity into a strategic business function
There’s an interesting mindset shift happening among CISOs: a strong security posture should focus on building awareness of the threat landscape and establishing resilience, not on preventing individual attacks.
Microsoft’s survey data supports this line of thinking: 98% of respondents who reported feeling extremely vulnerable to attack were also implementing Zero Trust, and 78% already had a comprehensive Zero Trust strategy in place. Because Zero Trust assumes breach and optimizes for resilience rather than protection, respondents who indicated maturity in their Zero Trust journey were also more likely to see attacks as an inevitability rather than a preventable threat.
And while implementing Zero Trust does not necessarily result in fewer attacks, it can help reduce the average cost of a breach.
So, for security leaders who are looking to elevate security from a protective service to a strategic business enabler, the first step is assessing the Zero Trust maturity stage of your organization. This can help establish a resilient security posture and proactive approach to cybersecurity that facilitates more effective hybrid work, improves consumer experiences and confidence, and supports innovation.
- Maximize your existing resources
Part of being a mature security organization is understanding the inherent threats that are present in today’s complex digital environments. However, many CISOs are also optimistic about their ability to manage future challenges down the road. According to the security leaders we interviewed in our study, in just two years, many vulnerable aspects of our current digital environment are anticipated to become less of a liability.
For example, while nearly 60% of leaders see networks as a vulnerability today, only 40% see the issue persisting two years from now. Likewise, 26% fewer cite email and collaboration tools and end-users as anticipated concerns in 2024 compared to 2022, roughly 20% fewer see supply chain vulnerability as a top concern, and 10 to 15% fewer respondents view endpoints and cloud applications as a top security concern. Only Operational Technology (OT) and IoT are expected to be the same or more of a challenge two years from now.
This particular set of results from our study is especially interesting when you consider the gravity of the cyber threats that we’re facing today. While attacks are increasing in severity, they’re also declining as a risk due to the confidence among security professionals that today’s approach to security will better protect organizations in coming years as it is implemented across supply chains, partner networks, and ecosystems.
In order for organizations to advance their cybersecurity maturity, it’s important to ensure comprehensive implementation of security tools. Building on a strong Zero Trust foundation, organizations can optimize their existing security investments like endpoint detection and response, email security, identity and access management, cloud access security broker, and built-in threat protection tools.
- Implement security fundamentals
It’s no secret that today’s CISOs are being asked to do more with less. Therefore, it’s critical for security leaders to manage risk and set the right priorities. Prioritizing foundational cyber best practices is a great place to start, as Microsoft estimates that basic security hygiene still protects against 98% of attacks.
Nearly all cyberattacks can be thwarted by enabling multifactor authentication (MFA), applying least privilege access, updating software, installing anti-malware, and protecting data. And yet, we still see low adoption of strong identity authentication. Across industries, only 22% of customers using Microsoft Azure Active Directory (Azure AD), Microsoft’s Cloud Identity Solution, had implemented strong identity authentication protection as of December 2021.
For security leaders, this represents an important learning: start with identity. Whether it’s MFA, passwordless protection, conditional access policies, or more, having secure identity protections can minimize the opportunity for threat actors and make it more difficult to raise the attack bar.
Strengthening your cyber resilience does not happen overnight. It is a continuous journey that all organizations are on as we continue to move forward in this rapidly changing threat landscape. By prioritizing what needs to be attended to first based on risk, organizations can incrementally apply these five steps to confidently move towards better cyber resiliency.
Want to uncover more insights from Microsoft’s 2022 cyber resilience survey? Download the full report here.
[1] https://www.computerweekly.com/news/252484865/Coronavirus-Enterprise-cloud-adoption-accelerates-in-face-of-Covid-19-says-research
[2] https://www.verizon.com/business/resources/reports/dbir/2022/master-guide/