A new survey has found that control failures are primarily to blame for an increasing number of cybersecurity incidents at large organisations.

cyber security

The data, taken from an external Panaseer study of 1,200 enterprise security leaders also reveals that an increase in tools and manual reporting combined with control failures are contributing to the success of threats such as ransomware, which costs organisations an average of $1.85 million in recovery.

Panaseer developed the report to get insight into how the state of enterprise security has evolved in the last two years, following a global shift to new working models.

Currently only 36% of security leaders feel very confident in their ability to prove controls were working as intended.

This is despite 99% of respondents believing it’s valuable to know that all controls are fully deployed and operating within policy, and cybersecurity control failures currently being listed as the top emerging risk in the latest Gartner, Inc. Emerging Risks Monitor Report.

Attacks only succeed when they hit systems that haven’t been patched or don’t have security controls monitoring them.

The vast majority (82%) of security leaders have been surprised by a security event, incident, or breach that evaded a control(s) thought to be in place. It takes multiple control failures for an attack to be successful. In their experience, the respondents stated that it took an average of five or more control failures for an event, incident or breach to succeed.

The report also confirmed that only 40% of security leaders can confidently understand and remediate underperforming controls and track improvement. Over half (60%) of the security leaders lack strong confidence in their ability to continuously measure security controls that mitigate the infiltration, propagation, and exploitation of a successful ransomware attack.

The rise in threats and shift to cloud-enabled remote working has increased the number of security tools used by large enterprises. On average, enterprise security teams are grappling to manage 76 discrete security tools, a significant jump from 2019 when the average was 64. An increase in tools can also increase reporting requirements.

According to the report, security teams spend more than half their time (54%) manually producing reports for the Board, regulators and auditors. This is an increase of over a third from 2019 when security teams spent on average 40% of their time manually producing reports. The main tasks involved in manual reporting include: extracting data, moving data, cleaning data, merging data, making calculations and formatting and presenting data.

Databases topped the list of assets into which security teams had least visibility (27%), followed by devices (17%) and then Internet of things (16%). The lack of visibility around databases correlates with a sharp rise in ransomware attacks, which have quadrupled during the pandemic and the National Cyber Security Centre recently cited as “the most immediate danger to UK businesses.”

Jonathan Gill, CEO, Panaseer, said:

“The number of security tools continues to grow to meet the increasing threat and fast-evolving technology landscape. These tools produce vast amounts of data, but unfortunately, the data does not always join together, and this has now become a data science problem.

“Many organisations try to resolve this with spreadsheets and other in-house solutions that simply increase the reporting and administration burden on precious cybersecurity resources. It’s almost impossible to understand an organisation’s assets, the status of controls relating to those assets, and the business context or ownership of the associated vulnerabilities,” he added.

Most attacks happen despite organisations having invested in controls to defend themselves, but finding those controls were not deployed across all assets as intended,” he continued.