The State Of Corporate Cybersecurity: Paranoia, Hopelessness

It is perhaps no surprise that the latest research on corporate cybersecurity is far from optimistic. In a time when experts highlight the increasing sophistication of cyberattacks, the growing financial and reputational losses as a result of data breaches, and the rising investments in cybersecurity technologies that still seem unable to halt the threats, the newest research from cybersecurity company Lastline is similarly bleak.

In a company blog post published on Tuesday (May 7), Lastline highlighted some of the key findings from its survey conducted at the 2019 RSA Conference. Only 2 percent of cybersecurity respondents said they have adequate funding for their security initiatives, and 23 percent said they believe it would take a successful cyberattack on their organizations to convince executives to invest more in cybersecurity.

The report also revealed some serious shortcomings in employees’ and executives’ behavior in the enterprise that further exposes companies to cyber risks. For instance, a lack of cyber education has led nearly one-third of cybersecurity executives to believe that at least half of their employees think the cloud is literally in the sky.

“This is either funny or very concerning (or both),” Lastline said in its post.

The firm’s CEO John DiLullo agreed that some of the findings in the report represent a frustrating sentiment in the enterprise cybersecurity space.

“I think, generally, people [are feeling] paranoia and, in some situations, a feeling of resignation or hopelessness,” he told PYMNTS in a recent interview.

Some of the largest cybersecurity threats he sees today include the BYOD (Bring Your Own Device) movement, cyberattackers’ use of encryption and the migration of corporate systems into the cloud, preventing executives from storing sensitive company and customer data on a physical machine, and leaving them without a physical parameter to protect. There’s also the issue of lengthy dwell times, sometimes extending hundreds of days. That means malicious actors are dwelling in company networks for even months at a time without detection.

Considering these threats, he said, that paranoia is certainly warranted.

Combining Education With Technology

According to DiLullo, employees education is an essential component of protecting the enterprise. Indeed, educating directors and C-level executives on cyberthreats would help cyber experts to obtain the funding, resources and company support necessary to protect internal systems.

At the micro level, employee education on why they shouldn’t use or share insecure passwords, click on suspicious links, or include wire or account data within emails can also be effective — to a point.

“Simple things like password sharing: You tell people not to share their passwords, and they do it anyway,” DiLullo said.

This is where the combination of technology comes in.

Promoting employee awareness on strong passwords can be even more effective when companies implement technologies like dual-factor authentication, biometrics, behavioral analytics and other tools that can control company logins and protect credentials, even when workers fail to do so. Intelligence technology can identify a system infiltration, even after an employee has clicked a suspicious link.

While DiLullo agreed that there is an opportunity for enterprise cybersecurity teams to get closer to other departments in the enterprise (for example, coordinating with human resources to lead employee training initiatives, or collaborating with accounts payable and accounting on preventing wire fraud or phishing scams) the biggest opportunity is in DevOps. Teams that prioritize lightweight, speedy app and platform development often fail to prioritize the security of their creations, he said, leaving room for chief security officers and cybersecurity teams to step in.

“Security is going to gain a hold in other departments, but the number-one place it needs to be is in any app developer environment,” he said.

Room For Optimism?

Despite the doom-and-gloom figures in Lastline’s latest analysis, and in countless other surveys and research reports, there may be signs that organizations are improving their cybersecurity practices.

DiLullo said that, only a few years ago, the cybersecurity space saw far more employees clicking on malicious links or sending sensitive information via email. Though it still happens today, he’s seen growing awareness of the dangers of such practices.

There has also been a surge in enterprise risk management plan development, which places cybersecurity leaders in front of boards of directors and enterprise heads to integrate cybersecurity into that risk mitigation effort. Still, DiLullo was hesitant to say that there is room for optimism on a broad scale.

“If you want to return to the old days where there was zero cybercrime, that’s not going to happen,” he said. “But when you look at companies that are really disciplined, they’re educating their employees, they’re being careful about how they embrace new computing models in the public cloud, they’re giving CFOs and enterprise risk management teams lots of authority and empowerment, and they’re spending what they need to spend. With the technology that is out there today, and with best practices, you have the ability to materially improve your risk profile.”