《ioSmart:安全的哀叹-2023- 2024年英国网络安全状况报告(英文版)(18页).pdf》由会员分享,可在线阅读,更多相关《ioSmart:安全的哀叹-2023- 2024年英国网络安全状况报告(英文版)(18页).pdf(18页珍藏版)》请在三个皮匠报告上搜索。
1、Securitys Lament:Securitys Lament:The state ofcyber security in the UK2iomart Cyber Security Report October 20233“Organisations that establish a robust cyber security framework aligning with their strategy are well positioned to shape the future”1Welcome from LucyThe second iteration of a research r
2、eport is often the most interesting having set a benchmark the first time around,its always very useful to be able to see how things have changed and developed.Weve worked again this year with Oxford Economics,an independent research expert,to gather the opinions of 500 senior cyber security leaders
3、 and find out about their experiences over the last 12 months.Many of the key issues we unearthed last year remain.Cyber leaders report a near-constant battery of attacks from online threat actors,compounded by increasing costs and tightening budgets.They face the unenviable balancing act of keeping
4、 their organisations safe,often with fewer resources.The noisy landscape of technology solutions,including the breakaway star of 2022/23 generative AI can make it difficult to know how to optimise cyber defences.Whats concerning is that our research found an increase in the number of attacks over th
5、e last 12 months.The news headlines are still too frequently occupied by another household name which has suffered a successful breach.And for every one of these high-profile attacks,there are many more we dont hear about.Our intention with this research is to help cyber decision-makers better under
6、stand the bigger picture of the threat environment and how others are approaching this pernicious challenge.By working together and learning from each other,we can reduce our risk of falling victim to determined criminals and more confidently take advantage of the growing benefits of a connected wor
7、ld.We hope this report helps make those tough decisions a little easier.Best wishes,Lucy Dimes,CEO iomart Group plciomart Cyber Security Report October 20232ContentsIntroduction.3Part 1-Balancing threats and budgets.4Part 2-Tech has become increasingly integral to a strong cyber strategy.6Part 3-Tal
8、ent is crucial in combatting threats .8Part 4-How does my industry stack up?.10Conclusion .123Organisations that establish a robust cyber security framework aligning with their business and IT strategies are well positioned to shape the future.This alignment not only improves their resilience agains
9、t todays inevitable,and often costly,cyber threats,but also fosters an environment favourable to innovation and revenue generation.Cyber security strategy has become integral to both the day-to-day functioning of business operations and the determination of potential growth.Yet organisations are ope
10、rating in an unpredictable landscape,with their efforts muddled by inflation,geopolitical tension,a cost-of-living crisis,and even advances in technology,such as generative AI.Bad actors are taking advantage of these circumstancesthe past year saw a sharp rise in the average number of attacks over t
11、he year before.To make matters worse,despite upticks in the frequency and intensity of cyber attacks,many organisations cyber security strategies are still in their infancy,remaining at the periphery of their business processes.For companies to remain competitive or outperform their rivals,those str
12、ategies will have to mature rapidly.And they must overcome a cyber security talent pool that is running dry,as well as budgetary constraints,as cyber security competes for allocation against an abundance of other challenges.The cyber security industry is also undergoing significant changesas many ne
13、w players enter the market and mergers and acquisitions consolidate suppliers.Despite the industrys complexity,though,organisations are eager to engage with it to get on top of their cyber woes,acknowledging the potential profit,reputation,cost,and efficiency benefits.To that end,many organisations
14、have at least taken initial steps:Invested in cyber security services and products to understand points of vulnerability and manage threats;Introduced cyber hygiene and multi-factor authentication to create a culture of security;and Focused on employees,procuring training,and upskilling.To take the
15、pulse of cyber security,Oxford Economics and iomart surveyed 500 executives responsible for their organisations cyber strategy.The sample includes executives from a range of industriesmost with more than 1,000 employeesall based in the UK.The survey revealed these key takeaways:Budgetary constraints
16、 hamstring cyber strategies in the face of increased incidents.A majority have an inadequate budget to fully protect their organisations at a time when many cite the increased cost of remediation as a major challenge.Rising insurance premiums can add to already strained budgets.There is a promising
17、future for cloud and automation within cyber strategies.Businesses are increasingly investing in such technologies to bolster cyber security.With many concerned by shortages in their internal cyber skills and awareness,these technologies are seen as particularly pertinent given their importance to e
18、mail screening and automated resolutions.While deploying the appropriate technology is crucial,effectively leveraging it requires the right people.The security skills gap yawns large and remains the biggest challenge for most cyber strategies.With internal skills and resources lacking,organisations
19、face a major hurdle.To combat these obstacles and get the most from their tech investments,executives plan to invest in employee training while also hiring in-house specialists and third-party consultants.IntroductionMethodology/demographics and key definitions Sample:Cyber security strategy decisio
20、n-makers(n=500)Executive titles:CTO,CIO,CISO,CFO,COO,Chief Digital Officer,CEO,Chief Risk Officer,Chief Data Officer Sectors covered:Software,Professional services,Legal,Finance,Not-for-Profit,Government,Insurance,Healthcare,Manufacturing,Retail,Transportation,Consumer products Company sizes represe
21、nted:Most respondents have more than 1,000 employees.20%have 250 m to 499 m in revenue,20%have 500 m to 999m in revenue,20%have 1bn to 4.99bn in revenue,20%have 5bn to 9.99 bn in revenue,20%have more than 10bn in revenue.Locations covered:Respondents are all from the UK Dates fielded:July 2023iomart
22、 Cyber Security Report October 20234Part 1:Balancing threats and budgets Threats are constantly evolving.More than a third of decision-makers say keeping up with the pace of evolving threats is a top challenge.Over the last year,organisations experienced an average of 30 cyber incidents,which repres
23、ents an annual increase of six incidents over the 24 reported last year.And these are the ones organisations know about.Not surprisingly,phishing(56%)and malware(55%)remain the threats of greatest concern to executives for the second year in a row,and less than half are confident in their organisati
24、ons ability in handling them(49%phishing,48%malware).Fewer still(one quarter)are sure of their ability to deal with ransomwarea threat that continues to dominate headlines globally.Not to mention disruptions from the past three years continue to complicate their ability to protect themselvesexecutiv
25、es are struggling with managing increased volumes of data,the pace of technology,and supply chain disruptions within their security strategy.Keeping pace with threats is more important than ever.To respond,or even become more proactive,organisations are looking to improve remain the threats of great
26、est concern to executives for the second year in a rowPhishing56%Malware55%Approximately how many cyber security incidents has your organisation experienced over the last year?5their cyber postures,allocating an average of 40,190 to vulnerability assessments,penetration testing,or red team engagemen
27、ts.However,they are also fully aware these measures alone are not sufficient,and they need more money to underpin their plans.More than a quarter(27%)of organisations think their current cyber security budget is inadequate to fully protect them from emerging threats.But budgets hamstring efforts.Tig
28、ht budgets continue to be a top barrier in meeting cyber security goals,and rising cyber insurance premiums only stress budgets further.The increase in cyber premiums is ranked as the top change over the past two years,with 70%of respondents noting a rise and just 4%seeing a decrease.The uptick in p
29、ricing only adds to the cost of remediation,with the majority(54%)of respondents suggesting it is the second greatest impact of cyber security incidents,well above more traditional factors such as theft of data(18%)and negative financial impact(30%).And the tightening of budgets creates blind spots.
30、With 41%of organisations being forced to sacrifice cyber security to keep the lights on during the pandemic,it is no wonder cyber security initiatives are not evenly applied across businesses.Only 37%of respondents agree that security is embedded into all their business processes and functions,while
31、 14%admit that security is addressed on an ad-hoc or as-needed basis.What impacts did your organisation experience as a result of cyber security incidents?9.4%18.2%30.2%32.0%36.6%48.0%53.8%61.8%Fines from industry regulators(e.g.,ICO,FCA)Theft of dataNegative financial impactSignificant business dow
32、ntimeLoss of competitivenessNegative reputational impactIncreased costs to remediateDisrupted operations70%say rising cyber premiums is the top ranked change over the past two yearsiomart Cyber Security Report October 20236Part 2:Tech has become increasingly integral to a strong cyber strategyLevera
33、ging existing technology.Executives may be feeling the crunch,but creating a strong cyber strategy on a tight budget is not impossible because some of the groundwork has been laid.Many organisations already have the technology to help them keep up.Cloud has become foundational to cyber strategiesalm
34、ost three-quarters(74%)of organisations rely on private cloud,with 67%saying it has strengthened security.And nearly two-thirds(65%)lean hard on automation.More than half(53%)will use automated responses over the next two years,while 51%plan to employ both SIEM monitoring and automated resolution of
35、 security incidents.Emerging tech comes into play.Despite a focus on well-established technologies,many executives also place considerable faith in emerging technologies.Well over one-third(38%)believe the increased use of AI and ML in threat detection and response will be a significant trend in cyb
36、er security over the next two years.In particular,they cite email screening(78%)and contextual analytics(69%)as dominant use cases for AI and automation.However,budgetary concerns(31%),compliance and regulatory requirements(23%),and a lack of skilled workers(23%)are obstacles to successfully impleme
37、nting nascent technologies such as AI and automation.67%say private cloud has strengthened their security38%believe the increased use of AI and ML in threat detection and response will be a significant trend in cyber security7Managing the tech shift.Figuring out where to start investing has proven d
38、ifficult.Our survey found that executives have trouble sorting through the”noise”created by the tsunami of offerings and security players in the market to find the best fit for their organisations needs and budgetsnearly two in five(38%)struggle with this.While most are generally enthusiastic about
39、tech adoptionalmost all respondents have invested in new products only half say their investments have been effective.Purchasing tech and cyber security products without a clear strategy and people who can leverage it effectively diminishes its potential.To maximise the value of their investments,ex
40、ecutives need guidance on navigating the shift to an increasing reliance on technology.Has your organisation implemented,or does it plan to implement any of the following technologies to increase cyber security?17.0%19.4%21.0%21.6%22.0%22.4%24.6%26.6%37.4%50.0%59.4%63.0%65.4%74.0%XDR(extended detect
41、ion and response)IPS(intrusion prevention system)SOC(security operations centre)EDR(endpoint detection and response)SIEM(security information and event management)MDR(managed detection and response)IDS(intrusion detection system)ZTNA(zero trust network access)DLP(data loss prevention)Cloud-publicDat
42、a analyticsAIAutomationCloud-privateFor which of the following cyber security tasks do you currently use AI or automation?0.2%32.9%38.2%38.6%39.7%42.1%69.1%77.6%None of the aboveSIEM monitoringPlaybook implementationAutomated responsesTo bridge security skills gapsAutomated resolution of security in
43、cidents/Reducingalert fatigueContextual analyticsEmail screeningiomart Cyber Security Report October 20238Part 3:Talent is crucial in combatting threats People are key to cyber success.As important as tech is to cyber security,executives are looking to their employees to be the first line of their c
44、yber defence.More than half(53%)say cyber security culture and regular employee training to prevent human-related breaches will be crucial,indicating the continuation of a significant trend.In the past two years,63%of organisations have invested in employee training.53%say cyber security culture and
45、 regular employee training to prevent human-related breaches will be crucialWhat steps has your organisation taken to protect itself from cyberattacks?23.2%25.8%30.6%33.8%34.8%37.8%39.2%40.0%45.2%47.0%72.8%77.4%32.2%43.6%23.6%37.8%33.6%50.4%28.2%29.4%28.6%40.80%13.40%12.20%Hired in-house specialists
46、Bolstered cyber security infrastructureConducted regular system audits to detect vulnerabilitiesEmployee awareness trainingInvested in cyber security productsInvested in cyber security servicesPlan to adoptAdoptedIntroduced basic cyber hygiene(e.g.,password management)Implemented multi-factor authen
47、ticationDeveloped and enforced approved list of IoT devices andconnectionsHired third-party consultantsImplemented a regular patch management programIncreased vetting/audits of vendors/suppliers9But getting people in place takes effort.Putting the right people in place is complicated by skills gaps
48、and a continuing shortage of skilled workers.Decision-makers say a lack of internal skills and resources constitutes the biggest challenge in meeting their cyber security goals.With burnout among cyber security staff on the rise30%believe their teams are suffering from itgetting the right talent(and
49、 the right technology to support them)is more importantbut harderthan ever.Flexible and hybrid work,a well-established work lifestyle for many office employees,has also introduced new challenges and vulnerabilities.Almost half of respondents(46%)say the bump in remote and flexible workand a more geo
50、graphically distributed workforce(36%)have complicated their organisations ability to protect against cyber threats.It is no wonder then that few feel confident in tackling their greatest cyber security threats and that reducing cyber risks created by employees has therefore become a priority for cy
51、ber security decision-makers.Getting the right people.To close some gapsoutside of upskilling and reskilling employeesalmost a third of organisations(32%)will hire in-house cyber security specialists in the next two years,and a full half(50%)will do the same for third-party consultants.Executives al
52、so are eyeing non-traditional talent sources to overcome skills shortages75%plan to hire from less-traditional pools of job candidates,such as gamers and ex-military.And more than half(55%)plan to expand cyber fluency to the top of the corporate ladder by stocking boards with people who have specifi
53、c cyber security experience.Even more(72%)will create internships and apprenticeships.These steps are important to creating a more cyber security literate workforce that can successfully implement cyber strategy and leverage the technology investments associated with it.55%plan to expand cyber fluen
54、cy to the top of the corporate ladder by stocking boards with people who have specific cyber security experienceWhat are the top challenges to meeting your organisations cyber security goals?13.2%20.2%22.0%30.6%31.4%35.0%35.8%41.0%44.6%Lack of interoperability between cyber security solutionsand leg
55、acy technologyIncreasing pace of mergers and acquisitionsLack of use cases/perceived ROI for cyber securityDifficulty finding the right cyber security providerDifficulty integrating cyber security into infrastructureBudget/cost limitationsKeeping up with the pace of evolving threatsToo many cyber se
56、curity products and services on the marketLack of internal skills and resources(e.g.,no dedicated functionor 24/7 capability)iomart Cyber Security Report October 202310Finance and Insurance are still working out the kinks.There are stark differences between industries when comparing the number of cy
57、ber incidents they experience annually.On the high end of the spectrum sits Insurance,Finance,Not-for-profit,Healthcare,and Government,all seeing at least 31 incidents a year.Insurance,with the second highest number of incidents last year,reported the highest number of incidents this year,despite sp
58、ending the second highest amount on cyber testing and assessments(46,100 on average vs.40,190 total).Finance fell from first place last year in the number of incidents they experience but is still comparable to Insurance.Organisations in this space face similar challenges,such as budget limitations,
59、and agree there are too many cyber security products and services on market.Consequently,like those in many other industries,the Finance sector emphasises the increasing importance of cyber securityculture and regular employee training to prevent human-related breaches.The Public Sector is strugglin
60、g to keep up.UK Public Sector organisations in Healthcare and Government are in a similar boat.Both are more likely to say cyber security threats have increased in frequency over the last two years(56%of Healthcare,55%of Government vs.48%of the survey total).In recent months,the UK Public Sector has
61、 been battling a wave of ransomware attacks,with critical infrastructure like the NHS Trusts,Ofcom,and pension services,all being targeted.Ransomware reasonably is by far their top concern,much higher than any other industry.Part 4:How does my industry stack up?Meet the cyber security strategy leade
62、rs We isolated a group of survey respondents who are using technology and talent to get the most from their cyber security investments.This elite group(n=126,approximately 25%of the sample)is defined by the following:Respondents in the first quartile who have already implemented initiatives like emp
63、loyee awareness training,introducing basic cyber hygiene,hiring third-party consultants,using managed service providers,using technologies like AI and automation,and aligning their strategy with business and IT.They have implemented a stronger talent strategy,like improving employee skills,using man
64、aged service providers and professional services,and bringing on board members with specific cyber security experience.They are far less likely to say their internal cyber security teams are suffering from burnout.They experience better results from their efforts.They are more likely than others to
65、say initiatives like employee awareness training,introducing basic cyber hygiene,investing in the right products and services,and bolstering cyber security infrastructure have been effective.They manage data better than other respondentsalmost all are confident in keeping up with data regulations,pr
66、eventing data security breaches,and sharing data internally with partners.They have made purposeful investments in technologymost have invested in cloud and updated infrastructure,as well as AI and automation,potentially to close some skills gaps.They are less likely to say their budget is inadequat
67、e to fully protect their organisation.Theyre already reaping the benefits of their effortstheyve already seen improved profitability and cost savings,internal efficiency,and revenue,and increased innovation potential.The takeaway:balancing tech and talent like our Leaders could give organisations a
68、leg up when setting cyber strategy.11The Public Sector is also feeling the effects of cyber skills shortages at higher rates than the Private Sector,a potential explanation of why it is struggling to mitigate threats.Executives in this space are more likely to say it is harder and more expensive to
69、find and retain cyber staff(38%of Healthcare,48%of Government,vs.34%survey total).Going forward,however,the Public Sector plans to invest in employee awareness training over hiring third-parties,in-house specialists,or purchasing insurance.Manufacturing forges ahead.On the other end of the spectrum
70、is Manufacturing,which,for the second year,has reported one of the lowest rates of cyber security incidents,at an average of 25 per year.Despite digitalisation deeply transforming the industryand opening it up to cyber threatsexecutives in this arena are slightly less likely to say incidents have in
71、creased in frequency over the last two years(44%vs.48%total).The reasons behind the industrys seeming success range from the high-level strategic decisions to lower-level tactical and operational ones.Strategically,Manufacturing executives,compared to those in other industries,are significantly more
72、 likely to have embedded security into critical infrastructure and aligned cyber security and IT strategies.Tactically,they have gone to greater lengths to mitigate cyber risk by investing in cyber security products,outsourcing intelligence,introducing basic cyber hygiene,and purchasing comprehensiv
73、e cyber insurance.Finally,operationally,they are more likely to conduct employee awareness training and implement multi-factor authentication.These factors may all be underpinned by the benefits accrued from hiring from less traditional talent pools(29%vs 21%average).Despite current success,Manufact
74、uring fully acknowledges the targets they have on their backs and are not complacent.The industry is also more likely to plan to hire third-party consultants,bolster cyber security infrastructure,implement a regular patch management program,and hire in-house specialists.Annually,how much do you spen
75、d on vulnerability assessments,penetration testing or red team activities?12Conclusion Talent and technology should go hand in hand to ensure an effective and agile cyber security strategy.But that is easier said than donean advanced cyber strategy continues to evolve and grow in complexity,making i
76、t difficult to figure out where to start.Executives must implement the technologies with intention,ensuring their investments suit their organisations specific needs and are used effectively.To create a robust cyber security strategy and reap the benefits of those efforts,we recommend organisations
77、take the following actions:Invest in the right technology solutions.It seems so simple,but with an array of technological solutions on the market,it can be difficult to assess the best fit for your organisationand often newer fixes arent compatible with legacy infrastructure.Avoid panic buying and t
78、hrowing precious budget down the drain by understanding where your gaps arewhether its bolstering cyber security or improving employee skills to decide where your tech investments should be targeted.Ask for help.Understanding those gaps is easier said than doneand investing in the right solutions is
79、 even scarier when budgets are tight.To maximise your budget,hiring a third-party advisor or in-house consultant can point you in the right direction.Seeking advice on this can help you avoid making inappropriate investments and can recommend what should be done with existing technologyand even empl
80、oyees.Bring your employees with you.While investing in the right technology is crucial to improving your cyber strategy,the need for human oversight is even more important.You need a team that has awareness of both the complexities and significance of a strong cyber strategyand you need them to impl
81、ement it successfully.Whether its upskilling and reskilling employees or bringing in people with specialised skills,there are many ways your employees can become a key line of defence in combatting threats.Which of the following cyber security threats are of greatest concern to your organisation?iomart Cyber Security Report October 20231314“While investing in the right technology is crucial to improving your cyber strategy,the need for human oversight is even more important”.iomart Group plc.55 Robertson Street,Glasgow G2 8JD