Cybersecurity Awareness Does Not Translate to Preparedness & Protection
Today’s senior-level security executives are keenly aware that cybersecurity risks abound. However, too many of them lack the staff and technology tools to effectively address those threats, even though they believe the threats will increase in the next 12 months, according to new research by the Ponemon Institute (commissioned by SolarWinds MSP).
Titled The 2017 Cyberattack Storm Aftermath, the research polled 202 US and UK senior-level security executives, focusing specifically on awareness of ransomware and Vault 7-type threats. Vault 7 threats include malware variants, such as Year Zero, Dark Matter, Weeping Angel, and HIVE. Most respondents said their organizations dealt with these threats at least once over the previous year.
While executives demonstrated an understanding of ransomware threats such as WannaCry and Petya, both of which were used in massive multicountry cyberattacks in spring 2017, “most respondents have a low level of knowledge and perception regarding the risk of Vault 7 attacks,” the report says.
The research makes it clear businesses need help from MSPs and MSSPs to address cybersecurity needs. Some organizations in the study already work with third-party security providers, but a full third (33 percent) do not, which means there is plenty of opportunity ahead for qualified MSPs.
More troubling than awareness levels was how respondents rated their ability to address threats. More than half (53 percent) believe cyberthreats will worsen in the next 12 months, and even more respondents admitted their organizations lack the ability to prevent or detect them.
Only 9 percent said their organization can prevent an attack involving a Vault 7 variant such as Dark Matter or After Midnight, while 11 percent of respondents said they can prevent a Weeping Angel attack.
Confidence is higher in ransomware defenses, with 72 percent of respondents saying they can detect a WannaCry attack and 67 percent saying they could detect Petya. However, their confidence in prevention is much lower—29 percent for Petya and 28 percent for WannaCry.
It’s no secret organizations face serious challenges in addressing cyberthreats. “Less than half of respondents believe their organizations’ enabling security technologies and budget are sufficient to prevent, detect, and contain risk,” the report says.
Even among those who rated their security budget as sufficient, 85 percent said it needs to increase to keep up with cybersecurity threats. Meanwhile, only a small minority of organizations have a full complement of cybersecurity experts in-house. Seventeen percent work with outside resources such as MSSPs and 24 percent engage a combination of external and internal experts. However, one third (33 percent) do neither.
Not helping matters is the fact that too many organizations do not employ basic practices to mitigate risk—such as applying security patches. Even though patches were issued for Petya and WannaCry, 45% and 56% of respondents, respectively, did not implement them. In addition, organizations often fail to take advantage of free cybersecurity intelligence sources, such us US-Cert bulletins, which help identify cybersecurity threats.
Lack of preparedness is a problem for businesses but also an opportunity for MSPs with the right managed security services to become their clients’ security consultants. That means helping them assess their risk profiles, conducting scenario planning, preparing incident responses plans (IRPs), and providing technology to help prevent and respond to cyberthreats. Technology offerings should include endpoint protection, threat detection, anti-phishing tools, and data backup and recovery.
The need is immediate because there simply aren’t enough skilled experts for companies to hire. This partly explains why 82 percent of organizations want to outsource security. The opportunity is there for MSPs; the question is whether they’re ready to take it.