Cybersecurity Report Card Shows Grades Rising for Orgs

It may be only September but Seattle-based DomainTools annual Cybersecurity Report Card Survey is out and revealed GPAs on the rise with security pros feeling more confident than ever before.

In the report, more than 500 security professionals were surveyed about their security posture and asked to grade the overall health of their programs. Their responses, particularly when compared to the results of the 2017 Report Card, sheds light on how cybersecurity practices are evolving, and what successful organizations are doing to adapt to the ever-changing threat landscape.

Despite today’s volatile security climate, the research shows infosec professionals feel more confident now than in previous years due to a greater investment in automated processes, threat intelligence solutions, and a commitment to company-wide training. DomainTools indicated when compared to 2017, the percentage of respondents that said their organization should be graded as a C or lower declined. Looking at the grades overall, they said organizations surveyed have refined and improved their security posture.

“In the midst of a seemingly never-ending flow of attacks, this annual report provides insight into the approaches that will take security grades from an F to an A,” Corin Imai, DomainTools’ senior product marketing manager, said. “It’s notable that A and B grades come from a strategic use of automation and that we are seeing a decrease in the number of teams using manual processes.”

Key findings:

• Report card grades improved in 2018, with 21% of respondents giving their programs an “A,” and 42% rating their work at a “B.” The percentage graded “C” or worse also declined.
• Strategic use of automation technology plays a significant role among highly-rated programs. So much so that 92% of “A” companies said they use automation to simplify time consuming processes. Domain Tools warned automation can create more issues than solutions if organizations don’t have skilled security professionals, technologies, and processes in place.
• One surprising finding was the decrease in malware analysis when investigating attacks. Malware analysis declined by 12% from 2017, and forensic analysis of compromised machines was scaled back by six percent.
• Five percent more organizations plan to step-up security awareness training in the coming year than did last year, and the number of those that intend to skip training initiatives decreased by half from 2017.
• Eighty-two percent of security professionals find value in using domain name system -based threat intelligence.

The report also looked at the most common threat vectors that organizations detect and found that one-third of organizations detect malicious activity – predominantly from malware, spear-phishing, ransomware and business email compromise – several times every day. Among organizations that did report a breach in 2018, fewer indicated they “did not know” whether they were targeted or not than in 2017.

“One of the unfortunate downsides of dealing with security at scale (or from a resource standpoint) and relying on automated analysis is the potential hit to accuracy. If a malware analysis service is not detecting and flagging for executables that exhibit anti-VM (virtual machine)/anti-sandboxing techniques, then the business is facing a higher risk of compromise. This is very much part of the attack lifecycle and a serious consideration from the defense aspect,” Tarik Saleh, senior security engineer, DomainTools, said.

The survey, conducted by DomainTools in July 2018, polled security professionals and executives working in finance, government, healthcare, retail, technology and other industries in organizations of 10,000-plus employees. Regions included North America, EMEA, APAC and LATAM.