Organisations ill-prepared for the stress of complex cyberattacks

Cyberattacks place a heavy burden on employees who have to deal with the fallout of these situations, and many organisations find that these threats are now too advanced to deal with on their own, according to a new report from Sophos, a UK-based security software and hardware company.

The report, The State of Cybersecurity 2023: The Business Impact of Adversaries, found that 94% of companies experienced a cyberattack of some form last year. Given the rise in these attacks, the researchers behind this new survey report warn that all companies, irrespective of size and revenue, should assume they will also be a target of a cyberattack this year.

Sophos commissioned an independent survey of 3,000 leaders responsible for IT/cybersecurity across 14 countries in January and February this year.

These experiences are taking their toll on employees dealing with threats that have become more unpredictable and commonplace. The report said that 57% of IT professionals surveyed expressed that worrying about cyberattacks "sometimes keeps them up at night."

More than half of respondents said that cyberthreats are too advanced to be left to the organisations alone to solve, and the percentage of IT professionals holding that view is higher at smaller companies (64%) than at larger ones (52%).

Ninety-nine per cent of IT professionals surveyed are concerned about cyberattacks affecting their organisation this year, the report said. Dealing with them has detrimental effects on productivity: 71% struggle to remediate incidents in a timely way (which increases risk exposure), and 55% note that dealing with cyberthreats affected the IT team's work on other projects.

The report emphasises the alarming nature of this problem; attacks are predicted to increase, but companies are not prepared to defend against them. Ninety-three per cent said their organisations find security operations challenging, and 75% say identifying the root cause is the most challenging widespread issue for IT teams to manage.

As a result, most organisations now plan to add threat detection and response solutions to their security stack, and 44% of organisations plan to start working with a managed detection and response provider within the next 12 months in response to skill shortages, the report said.

Adversaries have now outpaced defenders, the report says, but there are solutions. Addressing the situation requires a straightforward three-step approach, according to the report:

• Implement a more scalable incident response process that accelerates response time;
• Leverage adaptive defences to slow down adversaries; and
• Create a virtuous cycle that improves protection and lowers cost.

While a main concern for companies is often the "clean-up costs" involved in the aftermath, the financial impacts are not limited to the cost of the attacks themselves but to expenses involved in recruiting and retaining staff in this space, the report said.

Retention difficulties are projected to continue as more IT staff become overwhelmed by tasks for which they lack skills and resources to perform. "Burnout is a major issue in cybersecurity," the report said. "Overstretched teams are more likely to miss important signals, adding further pressure."

This also suggests that defenders do not have full confidence in their security tools, the report says, which is a cause for concern on economic and employee-welfare fronts.

"There is a direct relationship between skills shortage and security tool misconfiguration: Without the time, knowledge, and experience to configure controls correctly, you create gaps in your defences," the report said.

— To comment on this article or to suggest an idea for another article, contact Steph Brown at Stephanie.Brown@aicpa-cima.com.