Cyberattacks aren’t a roll of the dice for organizations, but rather a near certainty. Almost all organizations, 94%, experienced a cyberattack of some form during the last year, according to research Sophos released Tuesday.
All companies should assume they will be a target in 2023, researchers warned.
This constant barrage of malicious activity has organizations reeling. Most businesses are confronting threats that are too advanced to deal with internally, and a majority report cyberthreats negatively impact their ability to accomplish IT projects or dedicate time to strategic issues.
“Many organizations are overwhelmed and struggling to accomplish both routine operational tasks and strategic initiatives,” John Shier, field CTO of commercial at Sophos, said via email. “This manifests itself in organizations that are reactive and unable to improve their situation because they are constantly on the back foot.”
The report is based on a survey of 3,000 leaders responsible for IT and cybersecurity across 14 countries. The survey was conducted in January and February.
Nearly all respondents, 93%, said essential security operations tasks remain challenging and only half of security alerts are investigated. Three-quarters of respondents reported difficulty identifying the root cause of cyberattacks.
“It's not so much that security controls are failing, though for some that might be the case, but rather the overall system not operating,” Shier said. “Like many complex systems, security infrastructure requires many layers operating together with redundancies applied throughout.”
The top five cyberthreats of concern to IT and cybersecurity leaders surveyed include: data theft, phishing, ransomware, extortion, and DDoS attacks. Just 1% said they’re not concerned about any cyberthreats affecting their organization this year.
“The reality is that it need not be this way,” Shier said. Organizations should immediately and honestly assess their capabilities, identify gaps, and institute a plan to mitigate those issues.
“There’s too often a habit of understating risks and overstating capabilities,” Shier said. “This leads to many organizations thinking and acting like they are secure when it couldn’t be further from the truth.”