Cyber ConfidenceBuilding a trustworthy security posture

Contents Will the defenses hold? 4

A matter of confidence 5

Security professionals have reservations about their 5 organization’s security posture

Barriers 5 Mitigating the risks 6

Bouncing back from a breach 7

Security professionals left uncertain and in 7 compromising positions

Sourcing advice 8

The impact of outsourcing 10

The future is promising 10

Defend with confidence 12

Methodology and executive analysis 13

About Nominet 14

Nominet’s Cyber Security Solution - NTX 15

Sources 15

Real-time threat prediction, detection and blocking

Cyber Confidence | Building a trustworthy security posture

4 5

Will the defenses hold? On average, businesses last year experienced an astonishing 145 security breaches at the average cost of £13m per organization.1 Given the rapid increase in the volume and cost cyber crime, it’s little wonder that businesses seem to be focusing on cyber security more than ever. As far back as 2016, a report by Lloyds found that more than half of organizations in Europe have placed responsibility for their cyber security posture on the shoulders of the CEO.2 Similarly, a survey by NYSE found that more than 80% of respondents discuss cyber security at most or all boardroom meetings.3

With statistics like that it’s tempting to think that the days when IT and their security teams had to fight to prove the value of cyber security are well and truly over. The challenges and costs of cyber crime are now out in the open, and it’s easy to assume that means all security teams are now well-funded, supported from above and able to carry out their work with complete confidence. But is this really the case? How confident are security professionals that they have the resources, technology, talent and budgets required to meet the growing threat facing their organizations?

To help answer these and other key questions, we polled the views of 274 Chief Information Security Officers (CISOs), Chief Information Officers (CIOs), Chief Technology Officers (CTOs) and other security professionals from private and public sector organizations in the UK and US. Our research reveals that:

• Security professionals have serious reservations about their organization’s overall security posture

• There’s a consensus that lack of investment by the business in skills and training is a real problem

• Security professionals are uncertain and in compromising positions despite investing in an array of technology

• Most respondents believe the future will be better, with their businesses placing more of a focus on cyber protection

A matter of confidence Security professionals have reservations about their organization’s security posture

When it comes to the organization’s overall security posture, which includes the technology stack but also incorporates elements such as procedures, processes and human behaviors, the confidence of the security professionals we interviewed was far from strong. In fact, 70% expressed some sort of dissatisfaction, reporting that they are only ‘moderately’, ‘somewhat’ or ‘slightly’ confident in their overall security posture.

70%

76%of security professionals lack confidence in their overall security posture

of respondents believe cyber security will increase as a business priority in the future

Barriers

When it comes to protecting their organization, many security professionals find a range of barriers standing in their way. The biggest challenge to effective cyber security is the increasing sophistication of threats (49%) and as such, is largely out of the direct control of organizations (see more on this in the next section). However, many other key challenges are well within the powers of business leaders to help address. These include insufficient staff training (41%), lack of funding (34%), insufficient staffing (31%) and a lack of board support (29%).

Do any of the following challenge your organization’s cyber security efforts?

How confident are you in your organization’s overall security posture?

38%

Not confident

Very confident

Moderately confident

Slightly confident

Somewhat confident

1%

10%

21%

30%

Lack

of b

oard

su

ppor

t

Insu

ffici

ent s

taff

trai

ning

Lack

of

fund

ing

Thre

at

soph

istic

atio

n

Insu

ffici

ent

staf

fing

0

10

20

30

40

50

60

%

1ZDNet, 2ITProPortal, 3Veracode

Cyber Confidence | Building a trustworthy security posture

6 7

Two of the most interesting barriers are insufficient staff training (40%) and insufficient staffing (31%); two elements of a cyber security skills gap that will stop organizations from putting in place an optimal security posture. The security skills gap has been discussed at length in the industry, and solving it is absolutely essential to building confidence in a security posture.

Other barriers differ from region to region, as might be expected. In the UK, for example, lack of funding (44%) was much more important than in the US (26%), perhaps reflecting different budget priorities between the two countries. Regardless of such differences however, our survey reveals a number of significant barriers that limit the tools available to security professionals to build a more resilient security posture.

To enhance the confidence of security professionals in their postures, a number of things need to take place. First, organizations must put in place the right technology so that threats aren’t seen as insurmountable. Second, the right investment must be made; both in terms of budgets and people.

Mitigating the risks

As mentioned above, the top threat to an effective cyber security posture is the increasing sophistication of cyber crime. What does this look like in reality? When looking at the sort of attacks that companies have weathered over the past year it’s notable that in addition to those perennials of cyber crime; phishing, viruses and malware (44%), two common attack methods are both related to employees: staff receiving fraudulent emails (44%) and the unauthorized use of computers/networks/servers by staff (34%).

Clearly cyber awareness amongst employees still poses a very real threat to businesses, and our findings add real weight to the argument that when it comes to cyber security, employees should be the first line of defense against cyber crime. Instilling good cyber security habits in all staff, not just IT, is the best way for organizations to defend against evolving cyber threats.

It should also be noted that as companies look to understand the risks facing their organizations, a first step in building a security posture you can have confidence in, they must take stock of the threats most relevant to their industry. Our research shows certain threats are much more prevalent in some sectors than others.

For example, 49% of respondents from financial services businesses said their organization experienced a cyber attack and/or breach within the past 12 months, with the top offenders being staff receiving fraudulent emails (52%) and the bottom being ransomware (30%). Meanwhile, 64% of respondents from legal companies said their organization experienced a cyber attack and/or breach within the past 12 months. For these respondents, ransomware and hacking (57%) were the top attack types.

Building sector-specific threat profiles that take into account the sort of information that will likely be targeted, along with the most common threat vectors, can help organizations put in place a robust and reliable response. For financial service firms, this would include analysis of external factors such as increasing regulatory oversight to test the resilience of IT systems and cyber defenses. Legal firms meanwhile, would likely consider the impact of GDPR given the large volume of sensitive personal and commercial data at their disposal. This would then need to be augmented with detailed threat intelligence.

Bouncing back from a breach

According to our research, uncertainty around successfully dealing with a repeat attack detrimentally affects the confidence of security professionals. In fact, two thirds of those hit by a breach in the previous 12 months (68%) weren’t very confident that their organization could defend against the same type of attack again. Interestingly, US respondents were significantly more confident of their ability to defend against an attack they have previously experienced compared to those from the UK: 40% vs. 22%.

However, given that the types of attacks are so vast, comprising diverse threats including malware, phishing, DNS hijacking and much more, and the fact that organizations suffering a breach are most often attacked more than once in a 12 month period, the inability of companies to bounce back from an attack is clearly a potential weak point for the future.

Enterprises therefore need to be sure they’re protecting against all types of attack and that they take the right action when hit. That means doing more than simply defending against an attack in progress. Instead, companies must learn from past attacks and use this information to inform the future security posture. By viewing attacks as valuable lessons, and using these lessons to improve, organizations should be able to boost their confidence in their security approach and overcome some of the most intractable of security challenges. Even then, some key challenges remain in the way.

Security professionals left uncertain and in compromising positions

When asked whether they are confident that they have chosen the right or best security solution for their business, given that there are so many to choose from, our respondents were uncertain. While 31% reported being ‘very confident’ they have made the right choice, the majority were not so sure: 67% were just ‘moderately’, ‘somewhat’ or ‘slightly’ confident in their choice, while 2% weren’t confident at all.

Given the wide array of solutions available, how confident are you that your organization has chosen the right/best one?

Not confident

Very confident

Moderately confident

Slightly confident

Somewhat confident

2%

13%

20%

34%

31%

Cyber Confidence | Building a trustworthy security posture

8 9

There was some difference here depending on what country the interviewee was from. Respondents from US were much more likely to be confident in their choice than their peers in the UK: 37% vs. 22%. While cultural influences are no doubt a factor here, it is perhaps also down to the fact that respondents from the US are more likely to work at organizations of 5,000 + employees (35% vs. 28%), where there are typically tighter processes around procurement.

The confidence levels of security professionals were similarly mixed when it comes to the effectiveness of an organization’s security stack. Most scored their stack an 80% in terms of effectiveness, with less than a fifth (17%) feeling confident enough to rate it 100% effective.

These findings are important because, despite the relative lack of confidence in their security solution, 71% of security professionals questioned also say their organization touts its cyber robustness to partners and customers.

Sourcing advice

When looking to purchase a new security solution, the security professionals we spoke to are turning to outside experts for help. However, some are more trusted than others.

Across all sectors, industry bodies are the least trusted source of cyber security advice when choosing a security solution, with only 34% of buyers looking to them for guidance. This is at its lowest in the transport sector, with only 19% of buyers looking to them for advice. The most popular place for advice is vendors themselves (53%) followed by consultants (53%) and analysts in third place (52%). Only in the government sector is this different - with buyers seeking advice from industry bodies first (57%) and security vendors last (29%).

Yet even after all this third-party advice, remember that only 66% of security professionals say they are confident in the final choice of security solution. This jars slightly with the fact that nearly 59% of partners and 55% of customers demand an understanding of how robust a company is in terms of its cyber defenses.

Despite all this uncertainty, and perhaps as something of a contradiction, only 25% of security professionals say their organization doesn’t tout its cyber robustness to customers and partners. The utilities sector leads the way in promoting the

strength of their cyber posture - with 88% of all respondents saying their company did so, with the legal industry and critical national infrastructure sector following in second place with 81%.

Security teams are struggling to keep up with a burgeoning security market and, despite realization of the impact of attacks growing, it seems independent information for those looking to purchase countermeasures is lacking. This can lead to many being forced to make inappropriate choices for the threats they face, forcing them into uncomfortable situations when asked questions about the effectiveness of their posture.

Security vendors

Analysts

Security consultancies

Outsourced cyber security

System integrators

Industry peers

Industry bodies

I don’t seek any advice when choosing a secuirity solution

0 10 20 30 40 50 60 %

Where did/do you seek advice when choosing a security solution?

10 11

Cyber Confidence | Building a trustworthy security posture

The impact of outsourcing

When we asked explicitly about outsourced services, we discovered that there is a good deal of confidence in the ability of outsourcers to help protect businesses. Around half (51%) of the people we spoke to said that they believe the risk level associated with outsourced cyber security is more or less equivalent to that for traditional IT environments. In this regard, the UK is significantly more likely to feel that the risk is ‘about the same’ (61%) than the US (44%); an interesting finding given that US companies are more likely to seek advice from outsourcers.

Once again, we see lower levels of confidence in sectors where the impact of a security breach is highest: respondents from government sector business, for example, believe that there is a higher risk to outsourced services (48%), while utilities companies are almost as likely to say the risk is higher than to report it is roughly the same (40% vs. 44%).

This may relate to a lingering misperception that managing all security services in-house is by default the most secure option, as the IT team can maintain complete control of data and systems. The reality is that modern outsourced security services often offer the highest levels of security as the services are kept constantly up-to-date and leverage the expertise of a large and dedicated security team. The best outsourced services are able to be deployed either through the cloud or as an in-house system so firms can maintain direct control/oversight if required.

The future is promising

If today’s security professionals are ambivalent about their security postures and feel hamstrung by a lack of funding and skilled talent, the future looks much brighter. The vast majority (76%) of respondents believe that cyber security is increasing as a priority within their organizations and many are already noticing a difference. When asked whether their confidence in their overall security posture has changed over the past year, 62% reported that it had improved, compared to just 28% who thought it had stayed the same and 10% who said it had decreased. That is a very positive sign.

Also of good news, is the fact that 80% of organizations are measuring the performance of their security stack. By doing so, these companies are giving themselves the data they need to identify where best to make new security investments.

Based on our survey, the areas that will receive the most investment over the next three years are cyber monitoring (16%), cyber resilience (14%) and cyber governance (12%), while areas such as strategy and program transformation (3%), stakeholder awareness (4%) and third-party, supply-chain management (6%) will receive less investment, perhaps because businesses already think they are doing enough. The picture emerging here is of security teams that understand what needs to change and have confidence that over the medium term their company will support them in making these changes.

However, it’s important to note that major issues, such as the skills gap, won’t be solved overnight. What’s more, many respondents still feel uneasy about what the future may have in store. For example, 46% said they are concerned that internal developments within the business may increase its vulnerability to cyber attacks.

Security professionals therefore need to focus on areas that can help them allay their fears over the ever-evolving threat landscape. This will include sophisticated networking detection and response technology - to catch threats early and mitigate their impact - combined with an effort to train staff and create a more resilient organization. Such technologies can help firms prepare for the unknown: both new threats and threats that target new vulnerabilities.

In the next three years, in which area do you expect to see the most investment?

Identity/Access management

Cyber reporting

Endpoint/Network security

Cyber monitoring

Cyber security governance

Cyber resilienceApplication/Data protection

Third-party/Supply chain management

Compliance/Regulations

Stakeholder awareness and communications

Strategy and program transformation

9%

16%

12%

14%9%

11%

6%

8%

7%

4%

3%

12 13

Cyber Confidence | Building a trustworthy security posture

Defend with confidence The evolution of digital technology within enterprises and public sector organizations has progressed at a blistering pace. Today, companies and agencies have more ways to engage with their customers and stakeholders, and new digital-first business models are opening revenue streams and helping to create interconnected ecosystems of partners. These ecosystems are linked by complex digital networks and huge volumes of data all centered on delivering breakthrough experiences to customers, employees and citizens.

But as the benefits of digitalization have increased, so too have the threats. In many cases security teams have been left scrambling as new generations of increasingly sophisticated cyber attacks have disrupted the operations of the largest of businesses. The prevailing attitude to emerge is not one of confidence: around half of CEOs, for example, think that the likelihood of their organization becoming a victim of a cyber attack is a case of ‘when’, and not ‘if’.4

It’s therefore not surprising that as of 2019, many cyber security professionals in the UK and the US have mixed feelings about the state of their security posture. Confidence in the technology is there, but so too is a nagging doubt that they do not have the best on offer. Meanwhile, few businesses can claim to have complete confidence in their overall security posture.

However, the future offers much promise. Firms are prioritizing cyber security like never before, and security professionals are measuring their security performance and have plans to invest in the areas that will drive the most improvement in their organization. Confidence levels will likely increase in line with these changes.

The advance of cyber security tools will also help build confidence. Modern cyber monitoring tools that leverage sophisticated machine learning and AI systems can help firms identify and shut down attacks - both known viruses, malware and phishing attacks as well as new and zero-day attacks. Such approaches give security professionals the confidence they need that attacks will be detected and stopped before they cause harm.

Security teams should always be watchful. There will always be new threats, and there will always be criminals looking to exploit vulnerabilities. However, security teams need not have sleepless nights over their security posture. By investing in employee training and reskilling, by identifying the right tools and prioritizing investment accordingly, and by seeking advice from a wide range of experts and service providers, security teams can rest assured that everything that can be done to secure the enterprise is being done.

Methodology and executive analysis Nominet commissioned a survey of 274 Chief Information Security Officers (CISOs), Chief Technology Officers (CTOs), Chief Information Officers (CIOs) and other professionals with responsibility for overseeing the cyber security of their organization.

Respondents were sourced from large organizations (with 2,500 employees or more) within the UK (117) and the US (157), spanning a range of industries and sectors including automotive, critical national infrastructure (CNI), finance, government, healthcare, hospitality, legal, life sciences, retail, transport and utilities.

4KPMG

Cyber Confidence | Building a trustworthy security posture

14 15

About Nominet Nominet is driven by a commitment to use technology to improve connectivity, security and inclusivity online. For over 20 years, Nominet has run the .UK internet infrastructure, developing an expertise in the Domain Name System (DNS) that now underpins sophisticated threat monitoring, detection, prevention and analytics that is used by governments and enterprises to mitigate cyber threats.

A profit with a purpose company, Nominet supports initiatives that contribute to a vibrant digital future and has donated over £47m to tech for good causes since 2008, benefitting more than 10 million people. The company has offices in Oxford and London in the UK and Washington DC in the US.

Nominet’s Cyber Security Solution - NTX NTX will reduce risk on your network and eliminate threats before they cause harm.

All networks rely on DNS traffic. It is a critical source of information to check for threats and monitor the health of a network, but often overlooked in the security stack. NTX analyzes network DNS traffic for both known and unknown threats. Embedding our patented algorithms means we eliminate threats from the network and identify zero-day activity not seen by traditional methods of detection. This narrows the window when malicious activity can compromise your network.

Eliminate network threats before they cause harm

Our continuous R&D efforts create powerful insights to predict, detect and block network threats.

Proven & trusted cyber security services

Protecting enterprise customers and chosen by UK Government.

Contextualize your network and know what good looks like

Understand normal network behaviors and identify any abnormal trends.

Threat hunting & forensics

Granular data capture to provide meaningful insight for the duration of your service.

Easy deployment & integration

With minimal touchpoints and rich APIs for your existing security investments.

SOURCEShttps://www.zdnet.com/article/cybercrime-is-increasing-and-more-costly-for-organizations/

https://www.itproportal.com/news/cyber-security-now-a-boardroom-issue/

https://info.veracode.com/survey-report-cybersecurity-in-the-boardroom.html

https://home.kpmg/xx/en/home/insights/2018/06/if-recognizing-the-problem-is-half-the-battle-then-ceos-are-ready-for-the-cyber-security-challenge.html

Cyber Confidence | Building a trustworthy security posture

16

For more information on how Nominet can help secure your business, please contact us on:UK: +44 (0)1865 332 255 | USA: +1 202 821 4256 | info@nominetcyber.com | nominetcyber.com