Trend Micro – Global Organizations Struggle to Manage Cyber Risk

Trend Micro Incorporated announced the findings of a new global study indicating that organizations are struggling to define and secure an expanding cyber-attack surface, hampering risk management efforts.

There’s a simple but powerful dynamic driving cyber risk for most organisations today. The more they invest in digital infrastructure and tooling to drive sustainable growth, the more they may expose themselves to attack. According to experts, digital transformation during the pandemic pushed many of organisations over a technology “tipping point” from which they will never return. In short, the future of business is digital—from hybrid working to cloud-powered customer experiences. That creates a challenge for CISOs.
This challenge is often articulated in terms of the digital attack surface—that is, the collection of applications, websites, cloud infrastructure, on-premises servers, operational technology (OT) and other elements which are often exposed to remote threat actors.
The risks associated with attack can be mitigated if organisations have visibility into all of these assets, calculate their risk exposure accurately and then take steps to secure the attack surface. Yet many struggle to do so.
The study revealed that three-quarters (73%) of global organizations are worried about their growing attack surface. Over a third (37%) said it is “constantly evolving and messy,” with only half (51%) able to fully define its extent. Over two-fifths (43%) of respondents went further, admitting the digital attack surface is “spiraling out of control.”

Visibility challenges appear to be the main reason organizations are struggling to manage and understand cyber risk in these environments.

Almost two-thirds (62%) said they have blind spots that hamper security, with cloud environments cited as the most opaque. On average, respondents estimated having just 62% visibility of their attack surface. These challenges are multiplied in global organizations. Two-thirds (65%) of respondents claimed that being an international enterprise that spans multiple jurisdictions makes managing the attack surface harder.

Yet a quarter (24%) are still mapping their systems manually and 29% do so regionally—which can create further silos and visibility gaps.

“IT modernization over the past two years was a necessary response to the ravages of the pandemic, but in many cases it unwittingly expanded the digital attack surface, giving threat actors more opportunities to compromise key assets,” said Bharat Mistry, Technical Director at Trend Micro. “A unified, platform-based approach is the best way to minimize visibility gaps, enhance risk assessments and improve protection across these complex, distributed IT environments.”

The study also revealed that over half (54%) of global organizations don’t believe their method of assessing risk exposure is sophisticated enough. This is borne out in other findings:

  • Only 45% have a completely well-defined way to assess risk exposure
  • More than a third (35%) only review/update their exposure monthly or less frequently
  • Just 23% review risk exposure daily
  • Keeping up to date with the ever-changing attack surface is the top area organizations struggle with
So how can CISOs build a more risk-aware organisation?
It comes down to three important steps:
1) Gain visibility into all assets and attack vectors
2) Use that data to continuously calculate risk exposure
3) Invest in the right controls to mitigate that risk
The benefit of a platform-based approach here should be clear. If the platform is extensive enough to cover the entire attack surface—from email and endpoints to networks and the cloud—it will help to eliminate data silos and provide comprehensive visibility into assets. That same platform could be configured to deliver continuous protection of those asset via prevention, detection and response tools and techniques, to minimise security gaps and improve decision making.

A platform-based approach will not only reduce expenditure on renewing and managing point products, it also saves stretched IT teams time and effort—freeing them to work on high value proactive security tasks rather than swivel-chair fire-fighting.