CTOs Talk Cybersecurity
by Nick Kael
Posted on March 16, 2022
A recent survey of over 500 CTOs across four continents revealed a lot of interesting information and insights. But what really surprised us – and concerned us, too – was the section on “How CTOs are managing risk and protecting data and IP.”
Stunning inattention to cybersecurity
80% of companies smaller than 50 employees do not have a dedicated cybersecurity team. Of companies with over 1000 employees, 18% have no dedicated team. It’s a pretty safe bet (no pun intended) that at least some of the under-50 companies and most of the over-1000 companies use some sort of outsourced solution.
But consider this more troubling stat: 42% of the CTOs surveyed said their companies have no cybersecurity at all. None. No individual who is responsible for cybersecurity, certainly no dedicated team. No managed security service provider (MSSP), not even an outsourced cybersecurity service or consultant.
Given the dramatic increase in both the number of cyberattacks and their sophistication, neglecting cybersecurity is a grave mistake. Small businesses – the under-50 employee companies that have no dedicated cybersecurity teams – most likely assume that they are too small for cybercriminals to bother attacking. But increasing cyberattack automation and growing use of supply chains as a delivery vector put small companies at high risk. And unlike large companies that have the financial resources to weather a cyberattack, a successful cyberattack can be an existential threat for many SMBs.
Cybersecurity is too complicated – and too crucial – to be left to the part-time efforts of an IT generalist.
The greatest cybersecurity risks
Going back to the survey, 59% of CTOs saw human error as the greatest threat to security, with ransomware (49%) and phishing (36%) following. Of course, these are not mutually exclusive categories: a lot of ransomware is delivered by way of phishing attacks and falling for phishing attacks is the very essence of human error.
Ransomware protection
Despite its high ranking as the greatest cybersecurity threat and the many high-profile, crippling, and expensive ransomware attacks of recent years, nearly half of respondents – 47% – have no ransomware protection. In fact, only 10% of respondents have ransomware protection implemented for all cases. To make matters worse, many CTOs reported that their organizations permit deployment of untrusted container images, which frequently contain malware.
Focus on recovery
Disaster recovery is the most commonly deployed cybersecurity tool among the CTOs surveyed, with over 94% reporting having automated backups in place.
While recovery solutions are a prudent investment, companies would do well to invest in solutions that can protect them from ransomware attacks in the first place. Of course, ideally, both should be deployed, since no prevention scheme is perfect.
Conclusion
One out of 13 respondents – nearly 8% – said they had fallen victim to a cyberattack in the previous 12 months. It’s safe to assume that this figure lowballs the actual number, since companies are reluctant to publicize being attacked. In addition, given the significant number of organizations lacking professional security staff, it is likely that some may not be aware that their networks were breached.
Considering that a successful cyberattack can cripple a company for weeks and recovery costs can far exceed direct losses due to attack, even 8% is a scary statistic.
The best way to protect against all three of the top perceived cybersecurity threats – human error, ransomware, and phishing – is with a Zero Trust approach to securing interactions with web and email.
With a Zero Trust approach, every website, every user, and every network interaction are treated as potentially dangerous. With this in mind, Zero Trust Web Browsing assumes every interaction with the web is risky. To address the risk, a technology called Remote Browser Isolation (RBI) can be used to air-gap users’ devices from ransomware and phishing attacks (thus catching a lot of human error) delivered by the most common threat vectors – emails and the web.
Many small and medium enterprises may believe that Zero Trust security is out of their reach – too costly, too complicated, too difficult to manage. That’s why we created ZTEdge, a Secure Access Service Edge (SASE) solution, specifically to meet security needs of small and medium enterprises. And it is why we partner with excellent Managed Security Service Providers (MSSPs) who make it simple for smaller companies to enjoy the full benefits of Zero Trust security, without in-house cybersecurity expertise and without breaking the budget. Check it out now and start protecting your business from cyberthreats.
About Nick Kael
A cybersecurity expert with over 20 years of experience in web technologies, architecture, infrastructure, networking and dev environments, Nick is responsible for solution management, technology strategy and technology partnerships. Nick was previously Symantec Group CTO for Global Service Providers, following his tenure as Director of the Chief Architect Team for Channel and Service Providers at Zscaler and an earlier position in the Symantec CTO organization. His certifications include CEH7, CCSK, BCCPP, Bluecoat Blue Knight, MCSE + Security, CCDP, CCNA, CCSA, VTP5 and VTSP5.Recent Posts
Air Gapping Your Way to Cyber Safety
Physically air gapping enterprise networks from the web is a great way to protect operations, keep data safe … and squelch productivity. Virtual air gapping is a better approach.
Motion Picture Association Updates Cybersecurity Best Practices
The MPA recently revised its content security best practices to address, among other challenges, the issue of data protection in the cloud computing age.
FTC Issues Cybersecurity Warning for QR Codes
QR codes on ads are a simple way to grab potential customers before they move on. No wonder cybercriminals are using QR codes, too.