New research from cybersecurity firm Sophos finds that the vast majority of organizations find executing essential security operation tasks challenging, which makes incident response and remediation difficult in the face of an onslaught of attacks.
According to the company’s report, “The State of Cybersecurity 2023: The Business Impact of Adversaries,” 94% of global organizations reported expecting at least one cyberattack of some form in 2022, which makes the lack of security skills and manpower even more alarming.
Essentially, security teams simply cannot keep up with the increasing rate of attacks, with organizations spending the bulk of their time on incident response and not enough time on threat detection, leading to 93% finding the execution of essential security operations difficult.
Investigating security alerts is one of those “challenging” tasks, per Sophos’ report, as just 48% of all alerts are investigated to determine whether they are signs of malicious activity. In addition, 71% of organizations say they struggle to identify and prioritize which alerts or incidents to investigate.
When security teams do narrow in on an alert to investigate, the full detection, investigation and response process takes many hours, with the time spent increasing along with the number of employees at the organization.
According to Sophos, detection, investigation and response takes an average of nine hours for organizations with 100 to 3,000 employees, but that nearly doubles to 15 hours for organizations with 3,001 to 5,000 employees.
With cyberattacks becoming more advanced and beyond the traditional phishing email with malicious links, over half of IT professionals say cyberthreats are too advanced for their organization to deal with on their own. At small businesses, that figure rises to 64% as IT and security teams are typically much smaller or even outsourced.
These issues have even wider effects on organizations, including financial impacts, as the average cost for a small to mid-sized organization to remediate a ransomware attack coming in at $1.4 million, according to Sophos.
In addition, responding to cyberattacks and mitigating potential attacks takes time and resources away from other IT issues, with 55% telling Sophos that other IT functions have suffered as a result of cybersecurity issues.
Sophos also touches on the human resources issues of the cybersecurity burden, as 57% of IT professionals say that worrying about cyberattacks sometimes keeps them up at night. At mid-size organizations, that rises to 65%. Given the well-documented cybersecurity skills shortage, this represents a major issue.
When asked about their top cyber risk concerns, just 20% cited enabling access for remote users, and just 22% said fixing unpatched vulnerabilities. According to John Shier, Sophos’ commercial CTO, those are worrying numbers as those are two popular routes attackers exploit to gain access to a victim’s network.
Organizations aren’t seeing the full picture and are potentially acting on incorrect information, and many of them are stuck in reactive mode.
“Not only is this having an impact on core business priorities, but it also has a sizeable human toll, with over half of respondents stating that cyberattacks are keeping them up at night,” Shier says. “Eliminating the guesswork and applying defensive controls based on actionable intelligence will let IT teams focus on enabling the business instead of trying to douse the eternal flame of active attacks.”
Sophos concludes its report by recommending organizations focus on prevention, reducing exposure and disrupting adversaries, as well as combining security technologies with human expertise.