October is Cybersecurity Awareness Month. Throughout the month, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance will highlight ways to “secure our world” by educating the public on ways to stay safe online.
This initiative comes at a time when at least three high-profile companies — including one that specializes in smart buildings — have experienced recent cyber-attacks.
The most recent and closest to home for the security industry came when it came to light through a regulatory filing that industrial control manufacturer Johnson Controls experienced a cyber-attack in September that could have implications for the Department of Homeland Security, among others.
In late September it was reported that Sony was also investigating a reported ransomware attack in which one hacker group claimed to have successfully compromised all of Sony’s systems.
And earlier last month, MGM Resorts released a statement regarding a “cybersecurity issue” affecting company data. That attack was allegedly triggered through a phone call to the resort’s help desk.
In a Security Magazine article about the MGM incident, Nicko van Someren, chief technology officer at Absolute Software, said, “[The] cyberattack on MGM Resorts emphasizes the critical importance of cybersecurity resilience in today's interconnected digital landscape. As organizations increasingly rely on technology to conduct their operations and manage the customer experience, they become more vulnerable to malicious actors seeking to exploit vulnerabilities. Cybersecurity resilience isn't just about preventing attacks; it's about having the capacity to detect, respond to and recover from such incidents swiftly and effectively.”
But the recent news isn’t all bad.
A report from GetApp’s 5th Annual Data Security Report found that U.S. businesses as a whole are gaining some ground against cyber criminals.
The report — based on a survey of 872 workers including IT professionals and IT security managers — highlighted six key trends that are headed in the right direction:
- Most security leaders view AI as more friend than foe, with 59 percent of IT security leaders saying AI is more likely to help security teams enhance their defenses than it is to strengthen cyber criminals. However, IT leaders still voice security concerns about AI.
- Phishing is down, but the overall threat remains high. While 80 percent of businesses report receiving phishing emails this year that is down 9 percentage points from 2022; and those reporting that their employees clicked on a malicious link fell 20 percentage points to 61 percent, versus 81 percent in 2022. However, IT security managers consider advanced phishing attacks as the top threat heading into 2024.
- Ransomware attacks have dropped from 53 percent to 37 percent year-over-year, while the rate of victims paying the ransom has decreased from 67 percent to 36 percent. The report attributes this to a rise in businesses decrypting ransomware on their own, along with rising adoption of incident response plans.
- Data access privileges are becoming more restricted, with only 16 percent of businesses now allowing employees access to all company data, down more than 50 percent from 2022.
- IT security spending is up at U.S. businesses, with 7 in 10 businesses increasing their IT security budget this year, compared to 63 percent in 2022. In addition, a steadily growing number have formal protocols in place to report a suspected cyberattack, rising from 77 percent in 2021 to 83 percent in 2022, and now up to 94 percent in 2023.
- The number of businesses that provide security awareness training every six months has more than doubled over the last four years — 42 percent in 2023 vs. 19 percent in 2019.
Cybersecurity is a complex and critical issue that will continue to be a concern for the foreseeable future. One key is to continue following and implementing the positive trends highlighted above, while remaining ever vigilant. As recent incidents show, no company, even one that specializes in security, is immune from experiencing a cyber incident.