According to security and analytics experts, companies worldwide have spent a combined $114b on security products (both hardware and software) and services last year. This figure is expected to exceed $140b by 2021. In 2017, the average cost of one data breach for organizations was $3.62 million and 66% of respondents believe data breaches or cyber-security exploits will seriously diminish their organization’s shareholder value. Organizations are making protection of customer data and proprietary secrets a priority and want to limit the risk of brand reputation resulting from a data breach. That’s why they are boosting their efforts to improve cyber-security posture to defend themselves from potential cyber-attacks is high on their list. The range and scope of unknown attacks dictate how they defend themselves while staying within budget. Since the risk of being attacked is so high, C-level managers are now more aware and understand the responsibility. CIOs are pressuring to prioritize cyber-security and shift budget to acquire security solutions, and at times make decisions based on assumptions. According to a recent survey conducted by EY, 42% of responding CIOs are willing to invest more than 10% of their annual IT budget in cyber-security.
For CIOs, making their organizations cyber resilient by getting cyber-security right, is far from simple. In contrast to what some technology providers claim, there is no “one solution, solves all”. Organizations expect cyber-security solutions to be “plug-and-play”. However, to be effective, those solutions need to be customized to be a good fit. They are more complex than CIOs expect, and only by adapting, adjusting and updating those regularly are they efficient. That’s a luxury that only a few organizations can afford.
CIOs are facing an uphill battle in their fight to boost the cyber-security posture of their organizations. They are stuck with security products that have been purchased over time; an investment that top management is unwilling to let go off. CISOs are under more and more pressure to deliver (especially post-GDPR), and are asking for more products, services, and staff to get the job done. In many cases, CIOs are confronted with requests for more budget from within the organization. Threat intelligence or incident response teams are asking for budget to boost the organization’s policy and compliance, invest more in security information & event management, and even extend endpoint threat detection or forensics & incident investigation.
Since cyber-attacks are becoming more complex, severe and persistent, it has become impossible to find a single vendor who can solve it all. There are also too many products that had been purchased, by the organization during the years, and CIOs don’t know exactly where there are major weaknesses and unprotected assets and where there are overlaps in the organization’s cyber-security layout. That’s why it is time for CIOs to go for a new approach - instead of guessing how their organization will cope with the next cyber-attacks, they simply need to simulate the attack lifecycle which consists of several stages:
- To gain initial access, attackers use various strategies, (e.g., drive-by compromise, exploiting public-facing application which takes advantage of weaknesses, hardware and software additions which can be abused by attackers, lateral movements and hopping, spear phishing attachments to launch the attached malware, etc.
- For execution, the attackers use techniques that result in them having control over the malicious code on a local or remote system. They maintain access to the attacked systems and use privilege escalation to get a higher level of permissions on a system or network. They also use techniques to avoid detection or defenses during all phases of their attack.
- Discovery allows an attacker to gain knowledge about the system and internal network. The operating system provides many native tools that help attackers to gather information that they can use for e.g., stealing sensitive or financial information. They also collect information for
- Exfiltration allows an attacker to steal files and information from the compromised network.
- Their Command & Control center allows the attacker to communicate with the systems under their control within the compromised network and keep on exfiltrating information that is profitable for them.
Considering these various attack stages, it’s essential for CIOs to find out where there are weaknesses and where there are overlaps in the organization’s cyber-security protection. A professional Breach & Attack Simulation (BAS) platform will provide CIOs with a fresh perspective regarding their existing practices and investments and will identify all security vulnerabilities to be solved. This also allows the organization to invest wisely, both financially and strategically. The results and the recommendations provided by the platform will give the decision makers the information they need for making the necessary changes in their data security products and services, and the ability to save funds when overlaps are detected.Want to learn more? Contact Cymulate or ask for a free trial to check how a BAS platform can assist.