安全哀悼：英国的网络安全状况（英）-2022-17正式版

Security’sLament:ThestateofcybersecurityintheUK2“Thefuturebelongstoorganisationswithastrongcybersecurityfoundation”3 iomartCyberSecurityReport October2022WelcomefromReeceWelcometotheiomartStateofCyberSecurityReport2022.Thechangeswe’veallexperiencedinthelastthreeyearshaveleftalastingmarkonthebusinesslandscape.Therearefewplaceswe’reseeingthatmoreprevalentlythancybersecurity.Organisationsarefacingagreaternumberofthreatsthaneverbefore.Thatmuchisevidentfromtheresponsesanddatagatheredinoursurvey,withthenumberofbreachesbeinghigherthanevenIexpected.What’smore,thethreatswenowfacearefarmorecomplexanddifficulttodefendagainst.So,rightnowthere’sagreatdealofuncertaintyallaroundus.Thisuncertaintycanmakeyourlifeasadecisionmakerprettychallenging.Wehaveworkedwithindependentresearchexperts,OxfordEconomics,toproducethiscybersecurityreport.OuraimwastosurfacewhatotherUKbusinessleadersareexperiencing,howthey’renavigatingchallenges,andgiveyouabitofclarityonthecybersecuritylandscape.Itcanfeelprettytoughwhenyou’refacingcybersecurityissuesalone.It’sdifficulttobenchmarkyourstrategyamongstyourpeers.Orevengetclarityaroundthebesttechnologytouse–andhowtoattracttherighttalenttoproperlyusethattechnology.Fromthereport,you’llfindthat,whilecybersecurityiscomplexandchallenging,itcanalsobeusedasabusinessenabler–toattractmorecustomersanddifferentiateyourselffromthecompetition.Alongwithvaluableinsightintohowotherbusinessesaretacklingthisnewthreatlandscapesuccessfully.Wehopeyoufinditreallyinterestinganduseful.Thanks,ReeceDonovanCEOiomartGroupplc1ContentsIntroduction. 3Part1:Theconstantpressuretokeepupwithevolvingthreats 4Part2:Sourcingtherighttechnologyandtalenttocombatthreats. 6Part3:Theorganisationsthataredoingcybersecurityreallywell 8Conclusion 112 iomartCyberSecurityReport October2022IntroductionThethreatlandscapehasneverbeensocomplexandchangeableThethreatlandscapecontinuestoevolveatadizzyingpace.Assoonasthemarkethascomeupwithanewtechnologysolutiontodeterbadactors,theygettoworkfindinganotherwayin.Theoldhackerstereotypesdon’tringtrueanymoreeither.It’snolongerafewhackersinadimlylitbasement–manybadactorsnowruntheiroperationsasfullyfledgedbusinesses.They’rewellresourced,well-fundedandoftenhighlyskilled.Insomecases,theyevenhavecustomerservicedepartmentsforfellowhackersstrugglingtousethemalicioussoftwarethey’vepurchased.ThefuturebelongstoorganisationswithastrongcybersecurityfoundationFromourreportonethingisclear.Acybersecurityincidentisamatterof‘when’ratherthan‘if.’Somakingsureyouhavearobustsecuritypostureisessentialtomitigateagainst,anddealwith,threats.It’snotjustaboutprotectingyourselfthough.OurreportalsoshowsthatmanyCyberSecurityStrategyLeadersareusingtheirstrategiestosupportinnovation,attractbusinessandenablerevenuegrowth.Todothis,theytakeaholisticapproachtosecurity–aligningtheirsecurityplanswiththeirITandbusinessstrategies.Noteveryonewesurveyedisquitetherethough.Asitcanbechallengingtopivotyourentirebusinesstowardaholisticandjoinedupcybersecurity

ThebestperformingorganisationshaveafewthingsincommonThere’salottojuggle(andcontendwith).Butourreporthasfoundtheorganisationsdoingitright,fullyunderstandtheoperational,financialandreputationaldamagethatcanbedonebyasingleincident.Andtheseorganisationshaveafewkeythingsincommon:Theyknowwheretheyarevulnerabletothreats(fromwithinandoutsidetheirorganisation).Theyfosteracross-functionalcultureofsecurity.Theyincludesecurityexpertiseontheirboard.Theyprocure,train,andupskilltherightemployees.Theystrategicallyinvesttomodernisecybersecurityoperations.UnderstandinghowUKorganisationsareimplementingtheirstrategiesDuetoitsnature,cybersecurityisoftenplayedwithcardsclosetothechest.Andunderstandablyso.Thismakesithardfordecisionmakerstobenchmarktheircybersecurityapproachagainstotherorganisations.So,tohelpyoubetterunderstandhowcybersecuritydecisionmakersareimplementingtheirplans,OxfordEconomicsandiomartsurveyed500executivesresponsiblefortheirorganisation’scyberstrategy.Thesamplecomprisesexecutivesfromarangeofindustries—mostwithmorethan1,000employees—allbasedintheUK.

Thesurveyrevealedthesekeytakeaways:Securityincidentsareontherise,butfewarepreparedExecutivesarereportinghighnumbersofcybersecurityincidents(andthosearejusttheonestheyknowabout).Fewfeelconfidentincombattingtheirtopchallengeslikephishingandmalware,andalackofskilledemployeesmakesitevenhardertoovercometheseobstacles.Keepingupwithevolvingthreatscontinuestobedifficult,evenmoresowhenthetalenttodealwiththesechallengesisinshortsupply.Cyberprotectioncan’tjustbebought,itneedstobemanagedWithsomanycybersecurityproductsonthemarket,itcanbeoverwhelmingtofindwhichbestsuityourexistinginfrastructure.Investingintechnologytoanticipateandstopattacksintheirtracksiscrucial.Buthavingateamthatknowswhichproductsareneeded,andhowtoimplementandinterprettheiroutput,isevenmorecritical.EliteorganisationsshowawayforwardAselectgroupofrespondentswecallCyberSecurityStrategyLeadersaremorelikelythanotherstoeffectivelymanagecyberattacks,leveragedata,andallocatetalenttoimplementtheirstrategy.LearningfromtheseLeadersmaybecrucialtocombattingcyberincidentsandreachingorganisationalgoalsgoingforward.approach.Manyrespondents’securitystrategiesareaworkinprogress.AndtheseUKbusinessesfindthemselvesdeveloping,updatingandexecutingtheirplanswhilesimultaneouslycombattinganunprecedentednumberofattacks.Furtherchallengesarisewhenyouaddintheconstantlyevolvingthreatlandscape,alongsidemergersandacquisitions,allwhilelookingfortherightsolutionsinanoisycybersecuritymarketplace.

Methodology/demographicsandkeydefinitionsSample:Cybersecuritystrategydecisionmakers(n=500).Executivetitles:CTO,CIO,CISO,CFO,COO,ChiefDigitalOfficer,CEO,ChiefRiskOfficer,ChiefDataOfficer.Sectorscovered:Software,Professionalservices,Legal,Finance,Not-for-profit,Government,Insurance,HealthcareManufacturing,Retail,Transportation,Oil,gas&utilities,Consumerproducts.Companysizesrepresented:Mostrespondentshavemorethan1,000employees.15%have£250m–£499minrevenue,21%have£500m–£999minrevenue,24%have£1bn–£4.99bninrevenue,18%have£5bn–£9.99bninrevenue,23%havemorethan£10bninrevenue.Locationscovered:RespondentsareallfromtheUK.Datesfielded:JulyandAugust2022.3Part1:Theconstantpressuretokeepupwithevolvingthreats55%usesecurityasabasisforinnovation

Financesawthehighestrateofincidents,withanaverageof41,followedcloselybyInsuranceat40,andHealthcareat39incidents.Tomakemattersworse,thepandemicforcedsomeorganisationstochoosebetweenimprovingcybersecurityorkeepingtheiroperationsgoing.Almosthalfagreetherapidchangesinducedbythepandemicledtheirorganisationtosacrificecybersecuritytokeepthelightson,withGovernmentrespondentsmostExecutivesrecognisethevalueofstrongcybersecurityMostrespondentsagreethatastrongsecurityposturecanhelpwithstandexternalthreatsaswellasbuildafoundationforinnovation.Morethanhalfexpecttoseetheirreputationsimprove(56%).And55%usesecurityasabasisforinnovation.Anevenlargernumber(64%)agreethatastrongcybersecurityfoundationcanweathercurrentandemergingthreats.

KeepingpacewithvastnumbersofthreatsisanendlesschallengeOurrespondentsexperiencedanaverageof24incidentsinthepastyear.Whilerespondentsunderstandtheimportanceofasolidstrategy,thenumberofincidentsreportedisstillalarminglyhigh(andthosearejusttheonestheyknowabout).Infact,almosthalfagreecybersecuritythreatsfrombadactorshaveintensifiedinfrequencyoverthepasttwoyears.

likelytosaythis(57%agreed).Fromphishingtoransomware(andeverythingelseinbetween)therelentlessnatureofemergingthreatsprovebothalarmingandchallengingforanyone.Andwecanclearlyseefromrespondentsthat,keepingupwiththepaceofthesethreats,presentsuniquechallenges,andfewareconfidentaboutovercomingthem.Fig.1AllindustriesexperiencedalarminglyhighlevelsofcyberincidentsApproximatelyhowmanycybersecurityincidentshasyourorganisationexperiencedoverthelastyear?Numberofcybersecurityincidents

FinanceInsuranceHealthcareProfessionalServicesLegalSoftwareRetailTransportationOil,Gas,UtilitiesGovernmentNot-for-profitManufacturing605550453530201510504 iomartCyberSecurityReport October2022ConfidenceinthreatresponseremainslowamongexecutivesCybersecurityisnoteasy.Theinabilitytosuccessfullyanticipateandcombatacyberincidenthasledtodisruptedoperations(66%ofrespondents),increasedcoststoremediate(57%),andnegativereputationalimpact(50%).Executivesneedtobridgethesegapstopreventirreversibledamage.Phishing(62%),stilloneofthemostcommonwaysbadactorsluretheirvictims,andmalware(57%)arethecybersecuritythreatsmostofourrespondentsareworriedabout.Butonlyabouthalfsaytheyareconfidentintheirorganisation’sabilitytohandleeach(51%phishingand49%malware).Andonly23%saythey’reconfidentlypreparedforransomware,athreatthat’sdominatedheadlinesforthedestructionanddisruptionithascaused.

ExecutivesflagalackofinternalskillsandresourcesasamajorchallengeTomakethingsworse,nearlyhalfsaytheireffortsarehamstrungbyalackofinternalskillsandresources.Andmanyarelostamongstthefloodofcybersecurityproductsandservicesonthemarket.Morethanone-thirdofrespondents(36%)sayithasgrownharderandmoreexpensivetofindandretaincybersecuritytalent.Andnearlyhalf(47%)citeskillsshortagesasthetopchallengewhenitcomestomeetingtheircybersecuritygoals.Thislabourshortagehasmadeithardertomovepastpandemic-eraproblems.Theincreasedvolumeofdata(49%),changingbusinessmodels(45%),andincreasedpaceoftechnology(43%)continuetocomplicateorganisations’abilitytoprotectthemselvesfromcyberthreats.23%canconfidentlyhandlearansomwareattackFig.2SkillsshortagestopofmindforexecutivesWhatarethetopchallengestomeetingyourorganisation’scybersecuritygoals?5Part2:SourcingtherighttechnologyandtalenttocombatthreatsFig.3LingeringdemandsandchallengesfromthepandemiccloudthepictureTowhatextenthavethefollowingeffectsofthepandemiccomplicatedyourorganisation’sabilitytoprotectitselffromcyberthreats?NavigatingafloodofdifferentcybersecurityofferingsWithawidearrayofcybersecurityproductsonthemarket,executivesarefindingitdifficulttonavigatetheofferingsandgetthemostfromtheirinvestments.Respondentsfoundit’snotenoughtounderstandhowtomanagethreatsintheory–theyalsoneedtoassembletherightteamtogetthejobdone.Oursurveyfoundmanyexecutiveshavetroublesortingthroughthe

pandemicaddedextracomplexityasitpushedmanyexecutivestopivotontheirstrategy.Respondentssaythepandemicbroughtwithitapressingneedtomanageanunprecedentedamountofdata,alongwithfastchangingbusinessmodels,allwhilekeepingupwiththepaceoftechnology.Executivesjugglingthisalongsidetheirorganisation’scybersecuritystrategysayithascomplicatedtheirabilitytoprotecttheirorganisationfromcyberthreats.39%struggletosiftthroughthenoiseofsecurityplayersandproductsnoisefrommanydifferentsecurityplayerstofindtherightfitfortheirneeds—nearlytwoinfive(39%)saytheystrugglewiththis.Butit’snotjustaboutfindingtherightcybersecurityplayer.The

Hiring,trainingandretainingtherighttalentisthekeytocybersuccessWhilemostofoursurveyrespondentshavetakenthecriticalstepofinvestinginnewproductsto6 iomartCyberSecurityReport October2022Fig.4MosthavetakenthefirststepWhatstepshasyourorganisationtakentoprotectitselffromcyberattacks?Whatdoesitplantodointhenexttwoyears?supportastrongercyberstrategy,fewsaytheseinvestmentshaveactuallybeeneffective.Morethanthreequartershaveinvestedincybersecurityservices(80%)andproducts(78%),butlessthanhalf(43%)saythey’vereapedthebenefits.Thismightbebecausemanaginganarrayofproducts,manypurchasedwithoutaclearstrategy,isadauntingtask.Andawidespreadskillsshortagemakesthetaskevenmoredifficult.Almosthalfsayalackofinternalskillsisatopchallengetomeetingtheircybersecuritygoals,andthesamesaytheuptickindatavolumecomplicatesthesecuritypicture.Withoutsomeonetosortthroughthenoise,usefulinsightscanbelost.GettingthemostfromyourcybersecurityinvestmentsOrganisationsneedtherightpeopletomanagetheshifttonewertechnologies.Executivesarestartingtounderstandthis,butit’seasiersaidthandone.

Morethanonethirdofrespondents(36%)sayithasgrownharderandmoreexpensivetofindandretaincybersecuritytalent.Toclosesomeofthesegaps,mosthavealreadyupskilledemployees(77%)andbroughtonmanagedserviceproviders(70%).Butexecutivesalsoseemtobelookingatnon-traditionalsourcesoftalenttoovercomeskillsshortages,with64%planningtoprovideinternshipsandapprenticeshipsoverthenexttwoyears.Half(51%)plantostockboardswithmemberswhohavecybersecurityexpertiseandinvestinthirdpartyconsultantsinthenearfuture(52%).Butbringingmorepeopleondoesn’thavetobetheonlysolutiontoaskillshortage–AIandautomationcanpullsomeweighttoo.Futuretechnologyinvestmentswillfocusonprivatecloud(81%),automation(77%),andAI(72%)–thelasttwoofwhichcouldhelpwithskillsgaps,alertfatigue,andburnout.51%plantobringonboardmemberswithcybersecurityexpertise7Part3:Theorganisationsthataredoingcybersecurityreallywell46%saykeepingupwiththepaceofevolvingthreatsistheirbiggestchallengeWeidentifiedagroupofsurveyrespondentswhoareusingtechnologyandtalenttogetthemostfromtheircybersecuritystrategies.WecallthemourCyberSecurityStrategyLeaders.Thiselitegroup(n=126,approximately25%ofthesample)isdefinedbythefollowingcriteria:They’veimplementedinitiativeslikeemployeeawarenesstraining,hiringin-housespecialistsandthirdpartyconsultants,usingmanagedserviceproviders,usingtechnologieslikeAIandautomation,andaligningtheirstrategywithbusinessandIT.They’remoreconfidentcomparedtootherrespondentsinhandlingthreatslikemalware,phishing,andransomware.They’veimplementedastrongertalentstrategy,likeimprovingemployeeskillsandhiringconsultants,andarefindingthiseffective.

Theymanagedatabetterthanotherrespondents—almostallareconfidentinkeepingupwithdataregulations,maintainingcustomertrustandusingdatatoinformdecisionmaking.They’vemadepurposefulinvestmentsintechnology—mosthaveinvestedincloudandupdatedinfrastructure,aswellasAIandautomation,whichcanhelpclosetheskillsgap.They’reoutperformingtheircompetitors—whilewecannotestablishaclearcausallinkbasedonourcurrentdataset,mosthaveimprovedprofitability,companyreputation,revenue,andinnovationpotentialfarmorethanotherrespondents.TakinglessonsfromthebestpracticesoftheseLeaderscouldgivemanycybersecurityexecutivesalegupgoingforward.8 iomartCyberSecurityReport October2022LearningfromtheCyberSecurityStrategyLeadersFig.5LeadersarereapingthebenefitsoftheireffortsWhichofthefollowingoutcomeshaveyouseenasaresultofyourcybersecuritystrategies?Increasedinnovationpotential38%55%Improvedrevenue77%82%Improvedinternalefficiency50%75%Improvedcompanyreputation37%60%Improveprofitability/costsavings68%72%24%TotalCreationofnewrevenuestreamsLeaders37%ImplementingcybersecuritywithclearstrategyandintentionCyberSecurityStrategyLeadersareadoptingadvancedtechnologies,leveragingthemeffectively,andmakingtheirrobustsecuritypostureintegraltocustomertrust.Tomeettheirfunctionalandorganisationalgoals,executivesneedtoimplementtheirstrategywithfinesse.It’saboutfiguringouttherightbalanceofpeople,processandtechnologyforyourorganisationinparticular.Andunderstandingthatjustbecauseanewtechnologyhascreatedabuzzinthemarket,doesn’tmeanit’srightforyourorganisation’ssecuritystrategy.

SupportedwiththerightexpertisetomakedecisionsExecutivesshouldchoosetheirsecuritysolutionswithintention,supportedbyateambackingthatdecision.Leadersseemtohaveabetterhandleonthisthannon-Leaders.AsLeadersarelesslikelytosaytheyhavetroublesortingthroughanoisycybersecuritymarketplacetofindtherightfitfortheirorganisation.Andthisisprobablybecausetheyhavein-housespecialistsandthird-partyconsultantstohelpthemnavigatedecisionmaking.Leadersarealsomorelikelytohavetakenstepstobuildateamthathelpsguidetheircybersecurity82%ofCyberSecurityStrategyLeadersareupskillingworkers9strategy.Three-quartershaveadoptedemployeetraining(vs.44%total),82%areupskillingworkers(vs.77%total),andhalfhavehiredin-housespecialists(19%total)andthird-partyconsultants(37%total)tomaximisetheirinvestments.Bridgingthecyberskillsgapinnon-traditionalwaysTheseleadersarerealisingtheopportunitiesinbridgingskillsgapswithnon-traditionalsources.Almostthree-quartershavebroughtonboardmemberswithcybersecurityexpertise(vs.39%total)orusemanagedserviceproviders(vs.70%total),and69%useprofessionalservices(vs.33%total).Resultsshowthey’realsolookingtoAIandautomationtolendahand—89%areusingAIatscaleorinsomefunctions(vs.72%total),and97%saythesameforautomation(vs.77%total).NailingthebasicssoyoucanfocusonmorecomplexissuesWhileourLeadersstillfacechallenges,theirprioritieshaveshiftedawayfrompuretechnologyissues.Lessthanathirdsaytoomanycybersecurityproductsonthemarketisachallenge(vs.45%total).Andonlyaquartersaytheyhavedifficultyfindingtherightcybersecurityprovider(vs.36%total)orlackinternalskills(vs.47%total).Theirgreatestchallengesarekeepingupwiththepaceofevolvingthreats(46%)andintegratingcybersecurityintoinfrastructure(44%).Thebasics

aren’tasbigofachallengeforourLeaders.Sothey’vebeenabletomoveontohandlingmorecomplexissues.CybersecuritystrategyLeadersperformbetteroverallDespitethechallengestheyface,Leadersperformbetteroverallthantheremainingthreequartersofrespondents.They’remoreconfidentthannon-Leadersinhandlingtheirtopcyberthreats,managingdata,maintainingcustomertrust,andleveragingdatainsights.Theyaddresstopcyberattacksbetterthannon-Leaders,with57%sayingthey’rehighlyormoderatelyconfidentinhandlingphishing(51%total),while31%saythesameforransomware(vs.23%total).Andwithdedicatedteamstohandledata,they’remanagingtheirdatabetterthannon-Leaders.Almostall(93%)areconfidentinkeepingupwithchangingdataregulations(vs.78%total),64%maintaincustomertrustindataprivacy(vs.58%),andthreequartersusedatatoinformdecisionmaking(vs.62%).Theseeffortsmaywellbelinkedtotheirsuperiorperformanceacrossarangeofbusinessmetrics.Leadershaveimprovedprofitability,efficiency,companyreputation,revenue,andhaveincreasedinnovationmorethantheircounterparts.Fig.6LeadersaddressmorecomplexissuesWhatarethetopchallengestomeetingyourorganisationscybersecuritygoals?ToomanycybersecurityproductsandservicesonthemarketLackofinternalskillsandresources(e.g.,nodedicatedfunctionor24/7capability)KeepingupwiththepaceofevolvingthreatsDifficultyintegratingcybersecurityintoinfrastructureDifficultyfindingtherightcybersecurityprovider

10 iomartCyberSecurityReport October2022Inconclusion–it’sabouttherightbalanceofpeople,processandtechnologyInacomplexcyberenvironment,thebestperformingorganisationswillimplementtechnology,processandtalentstrategieswithi