With the cybersecurity threat constantly looming and, in many instances, growing for corporations, a new report from Kaspersky Lab suggests businesses shouldn’t necessarily rely on their IT departments to safeguard their firms.
That’s because many IT security professionals themselves are at a loss for how to protect the enterprise against targeted cyberattacks, researchers concluded in Kaspersky’s “New Threats, New Mindset: Being Risk Ready in a World of Complex Attacks,” released last week.
In a survey of business professionals, researchers found that a slight majority (52 percent) acknowledge that a security breach will happen to them at some point — a slight increase from 51 percent last year.
Further, 42 percent said they are unsure of how to handle a targeted cyberattack and other types of threats. Perhaps the most worrying is the finding that that figure jumps to 63 percent when only IT security experts are surveyed — the very professionals who should be most competent and confident in their cybersecurity strategies.
“Now that companies are starting to realize that cybersecurity breaches are a real risk to their business continuity, it’s time to give incident response the attention it deserves,” said Kaspersky Lab Head of Enterprise Business Division, Alessio Aceti, in a statement announcing news of the research. “It can no longer be a small part of the IT security department’s responsibilities and should instead involve strategic planning and investment at the highest level. For organizations, this doesn’t mean becoming risk-free, but it will certainly help to become risk-ready and survive a serious breach when it happens.”
According to researchers, targeted attacks are one of the fastest-growing tactics used by cybercriminals this year. Large enterprises have seen an 11 percent rise in this strategy compared to last year. Targeted cyberattacks, Kaspersky explained, don’t just involve malware (and may not involve malware at all); instead, cybercriminals use “a unique and malicious pattern” against corporate targets that involve multiple, carefully crafted stages of an attack against a specific target.
This can include the dreaded Business Email Compromise (BEC) scam, which, in some cases, involves attackers infiltrating email accounts to identify speech patterns and business partners and more convincingly pose as a legitimate contact.
For businesses of all sizes, targeted attacks have increased 6 percent year over year, Kaspersky said. More than a quarter said they have already been the focus of a targeted attack this year, up from 21 percent last year, and a third of companies said they feel they are being specifically targeted by a cyberattack.
The IT department can often be the first line of defense in cybersecurity, but researchers warn that companies should not necessarily rely too heavily on these professionals.
One reason is because of a talent shortage of IT security experts. According to Kaspersky researchers, half of companies surveyed said they know they need to hire more IT security professionals. A shortage of such talent means a 15 percent increase in exposure to targeted attacks, the report warned.
But increased hiring may not be on the agenda, as cybersecurity spend has stalled for many organizations. The report found 78 percent of respondents believe they currently spend enough on efforts to protect against targeted attacks — even believing they’re overspending.
Most C-level IT professionals (84 percent) think their companies are spending enough, or are overspending, on cybersecurity. But fewer non-IT C-level executives agree, with 79 percent reporting the same sentiment, “suggesting that they are more concerned about the business risks related to targeted attacks,” said Kaspersky Lab.
For many companies, the decision to take action and bolster their IT security teams only comes after a cyber incident, with 58 percent of respondents saying a cyberattack led them to employ IT security consultants. Kaspersky stressed the importance of proactive protection against cyberattacks, which includes bolstering access to in-house and outsourced IT professionals that are specialized in cybersecurity — including protection against targeted attacks.
The research that calls into question IT professionals’ ability to protect their organizations resonates at a time of criticism against Kaspersky Lab and its cybersecurity products in the U.S. In September, the U.S. banned federal agencies from using Kaspersky antivirus software over concerns about the Russian company’s ties to Russian spy organizations.