43% of Organizations Grade Their Cybersecurity “C” or Worse

More than one in four organizations have been breached in the past 12 months, while 23 percent aren’t sure if they have been breached or not.

When asked to grade their organization’s cybersecurity program, 43 percent of survey respondents gave themselves a “C”, “D”, “F”, or “non-existent”, and only 15 percent gave themselves an “A”. While there isn’t a one-size-fits-all solution to network security, the “A” grade companies have several attributes in common, including a high level of automation, a threat intelligence framework, and a robust training program for security staff.

That's according to the 2017 Cybersecurity Report Card by DomainTools, which also found that one-third of security pros are savvy enough to detect daily attacks, but the looming majority (66 percent) are unaware of the daily onslaught of malicious activity. While malware (76 percent) and spearphishing (56 percent) are the most common types of threat vectors, business email compromise (25 percent) and DDoS attacks (24 percent) are on the rise. Finally, nearly one-third of respondents were the recipients of attempted cyberextortion, also known as ransomware, which cost businesses more than $1 billion in 2016.

Of the 15 percent of companies that gave themselves an “A” grade, the vast majority (82 percent) boast a formalized training program for security staff, virtually all (99 percent) utilize some degree or a high level of automation within their security programs, and 78 percent use threat intelligence to follow up on forensic clues of an attack to protect the company. These attributes compare starkly to lower-graded companies. For example, only 37 percent of the “C” companies and none of the “F” companies have a formalized training program, 63 percent of “D” companies use manual processes and are more likely to think they do not need automated processes. What’s more, when asked if they have experienced a network breach in the past 12 months, only 15 percent of “A” companies have, compared to 27 percent of “C” companies, 38 percent of “D” companies, and 63 percent of “F” companies. In addition to more budget (50 percent) and more staff (49 percent), 42 percent of companies that did not grade themselves an “A” said that they need more time to evaluate and install technologies in order to be successful.

The overwhelming number of ways to attack a network naturally begets the need for a variety of protections. Almost all companies use more than one cybersecurity system, including firewalls (63 percent), anti-phishing or other messaging security software (57 percent), Security Information and Event Management (SIEM) systems (52 percent), and threat intelligence platforms (42 percent). More than one quarter (26 percent) spend 26 hours or more per week hunting threats in the network, and the vast majority (78 percent) find value in threat hunting – specifically in drilling down on forensic clues from phishing emails, such as domain name, IP address, or email address, and disclose that it leads to information that makes the organization more secure. Interestingly, “A” and “B” companies were more likely to follow up on clues and evidence compared to ”D” and “F” companies.

Security magazine spoke with Senior Security Researcher, Kyle Wilhoit of DomainTools about the findings.

Security magazine: What was the most surprising finding? Why?

Kyle Wilhoit: The most surprising finding that I’ve found personally interesting is that 42% of organizations use some sort of threat intelligence platform. I think this is interesting because there is still 58% of organizations that don’t use any sort of threat intelligence platform to either hunt or enrich indicators of compromise or attack.

Security magazine: How can most companies looking to improve their grade in 2017 and beyond?

Kyle Wilhoit: In my opinion, there’s two things that organizations should consider to improve their grade. First, is that the 58% of organizations that don’t use threat intelligence platforms need to reach a maturity level to leverage these types of platforms and technologies. One of the biggest problems I see is that 68% of respondents indicated that they have no capability to model threats in their organizations. Those same respondents indicated they have no capability for mapping threat infrastructure. Knowing who is attacking your organization is the first step in figuring out how to proactively monitor, protect, and respond to attackers. Also, pay special attention to the threat outliers- like business email compromise and DDoS attacks. These may not be the most prevalent threat facing organizations today, but they are increasing in prevalence and destructiveness.

Security magazine: What were the biggest differences between those that graded themselves as an “A” versus the “C” folks and below?

Kyle Wilhoit: Maturity. An organization’s information security maturity is directly tied to what they graded themselves as. For instance, having a threat intelligence platform in place, that is being used properly, is typically found in “A” and “B” organizations. This is primarily because these organizations have the budgets to purchase staff skilled in threat intelligence as well as budget to purchase tools that the intelligence analysts can use. In addition, “A” and “B” groups identified that they follow up on indicators of compromise and attack. “C” groups and below typically identified that they were not able to follow-up on those indicators.