Traditional measures to detect and respond to cyberattacks are inadequate to protect organizations against modern data breaches, a new report has found.
The 2024 edition of the Critical Start 2024 Cyber Risk Landscape Peer Report, based on a survey of more than 1,000 cybersecurity professionals at the level of vice president and above, revealed that 83% acknowledged that they had experienced a data breach in the past two years — despite having traditional threat-based protections in place. That's 16 points higher than the 2023 report, when some 67% of the respondents said they had experienced a breach.
The average cost of a data breach reached an all-time high of $4.45 million in 2023, according to the report, which represents a 15% increase over the past three years. Additionally, organizations with fewer than 500 employees saw the average cost of a breach increasing from $2.92 million to $3.31 million, a 13.4% rise.
Across the board, traditional security tools are proving no match for the modern threat landscape. Here are four key problem areas that your organization can take action on.
[ Get RL's Essential Guide: Software Supply Chain Security for Dummies ]
1. Cost out of alignment with risk
That risk from the unknown is a major worry for many cybersecurity pros. According to the peer survey, 86% said that unknown organizational cyber-risk is currently a top concern, up from 69% in 2023.
The report's authors raised a red flag over the finding that 84% of security pros acknowledged that their organization is prioritizing the cost of security over the risk of a security breach. "Cost and budget have always been a point of contention between security leaders and business leaders," Watkins said. "[The] thought process for business leaders is still 'It won't happen to us.'"
"[Business] leaders don't understand that it doesn't take a terribly complex cyber-event to cause tens of millions of dollars' worth of damage. So they don't prioritize spending on cybersecurity the way they should."
—Randy Watkins
Organizations must shift from a cost-centric approach to one that aligns with impact tolerance, the report asserted. Instead of aiming for zero risk, which is unrealistic, organizations should invest in cybersecurity measures that balance cost with the ability to manage and mitigate the impact of breaches.
To do that, organizations need to align their cybersecurity investments with quantifiable risk-reduction priorities. Such alignment remains relatively rare. The survey found that only about 35% of security pros said their cybersecurity spend was aligned with quantifiable risk-reduction priorities.
Quantifying risk reduction is very difficult, Watkins said. "We are starting to see a growing partnership between CFOs and CISOs to quantify cyber-risk and develop those metrics.”
"There's just a lot more at play now, and all of that is very difficult to put a number on. But so much is impacted by a single cyberattack that C-suites and boards are now demanding that level of alignment and that level of quantification."
—Randy Watkins
2. Outsourcing risk leaves organizations exposed
Many security and operations teams are constantly fighting resource constraints that are only amplified by competing priorities, Watkins said. With this problem, teams can't expect to get ahead and do the pre-work necessary to build a risk-based approach that focuses on outcomes, reliable metrics, and continual process improvement.
Continued shortages in cybersecurity expertise were also reflected in the survey results, which discovered that 99% of organizations plan to offload segments of their cyber-risk-reduction work streams or projects to security providers over the next two years. Driving that trend is the recognition that unknown risks pose a serious concern, and outsourcing can provide the necessary expertise and resources to manage these risks effectively, while enabling organizational resources to focus on implementing a broader security strategy, the report explained.
Offloading risk can have benefits. By outsourcing risk, an organization can reduce its head count and avoid confronting expertise shortages in the industry. "You make hiring and retaining talent somebody else's problem," Watkins said. "You can also scale your team a lot more quickly for a lot less money."
But it can have drawbacks, too, Watkins said. Outsourcing creates gaps in control and coverage.
"There are very few providers that can actually understand the nuance behind your business. They're not able to be as effective at resolving alerts or at investigating alerts."
—Randy Watkins
That's why he recommends that organizations use a blended approach to managing risk. "You have to outsource some of the things that make sense but still maintain some head count and expertise internally to pick up where that third party leaves off," he said.
3. Traditional tools that aren't keeping pace with threat landscape
Katie Teitler-Santullo, a cybersecurity strategist with OX Security, said one problem lies with traditional threat-based security systems, which are highly effective in addressing known threats but struggle to keep pace with the rapidly evolving threat landscape. And organizations need more granular context from their security tools to make informed decisions, she said.
"For starters, many of these tools are reactive, using historical data to inform current actions. While past behaviors might provide some visibility into what's happening now, new threats and tactics evolve all the time. What's more, many traditional security tools lack the depth of context in alerts to help security teams effectively decide the best course of action."
—Katie Teitler-Santullo
4. Lack of visibility
Critical Start CTO Randy Watkins cited several areas where traditional threat-based detect-and-respond security measures can come up short in preventing data breaches. One such area is the cloud. Cloud misconfiguration is common and can easily open up vulnerabilities that attackers can exploit, he said.
Watkins said that it's not enough to have an endpoint protection platform and to deploy endpoint detection and response if you're not deploying to every endpoint.
"Every endpoint that's not protected represents a significant risk. You combine that with the very rapidly evolving TTPs of attackers and you end up with traditional defenses not being able to withstand the onslaught of attacks that are becoming cheaper, easier, and more complex."
—Randy Watkins
Another finding in the report: Only 29% of the respondents said they had full visibility into their digital assets, a drop from some 34% in 2023. "If you look at every major framework, one of the first few controls — if not the first control — is to know what's in your business, know what your assets are, because it's impossible to protect what you can't see,” Watkins said. “If you don't know you have it, how do you know you need to protect it?"
Watkins said he was expecting the number of respondents who said they have complete asset visibility across their entire environment to be in the 60%–70% range. "Instead, we got 29%. That was something shocking to me,” he said.
Kunal Modasiya, vice president of product and growth at Qualys, said that when organizations have a good handle on their asset inventories and corresponding attack surfaces, they are in a better position to manage technical debt holistically.
"Without this first step, the biggest risk is the unknown.”
—Kunal Modasiya
Modernize your tools — and your approach
OX Security’s Teitler-Santullo said quantifiable risk reduction is a persistent challenge for nearly every security organization.
“To start, risk, in and of itself, is subjective. The risk of a network going down is more important to a telecom provider than it would be for a chain of restaurants. Both business types would be impacted, but a restaurant can run if its networks are down. AT&T, Verizon, T-Mobile, not so much.”
But one constant today is the evolving threat landscape, and the bulk of modern risk is tied to software. The first analysis of software supply chain security based on the Open Software Supply Chain Attack Reference (OSC&R) threat framework was released recently, and the news isn't good. The report, "OSC&R in the Wild: A New Look at the Most Common Software Supply Chain Exposures," noted:
"While [application security (AppSec)] programs and practices continued to mature in 2023, our analysis indicates there is much more work needed if we are to manage the risks effectively,"
The best way to protect your organization against modern threats is by changing your mindset about risk, ReversingLabs evangelist Josh Knox wrote recently:
Ask yourself: What am I running in my environment? What am I allowing for updates? Is there something that has low-level control over my systems that could blow up at any moment? What are people or processes putting into my systems, who’s responsible for those updates, and do those entities perform adequate testing before issuing an update?
—Josh Knox
Knox recommends ReversingLabs' essential guide to software supply chain security, Software Supply Chain Security for Dummies, as a first step toward taking action.
Keep learning
- Get up to speed on securing AI/ML systems and software with our Special Report. Plus: See the Webinar: The MLephant in the Room.
- Learn how you can go beyond the SBOM with deep visibility and new controls for the software you build or buy. Learn more in our Special Report — and take a deep dive with our white paper.
- Upgrade your software security posture with RL's new guide, Software Supply Chain Security for Dummies.
- Commercial software risk is under-addressed. Get key insights with our Special Report, download the related white paper — and see our related Webinar for more insights.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.