Cymulate, a leading cybersecurity company, has released its annual Cybersecurity Effectiveness Report, providing valuable insights into the current state of cybersecurity across various organizations. The report focuses on analyzing gaps and events that were not detected by security controls, rather than solely on security incidents.
According to the report, one of the most concerning findings is that 40% of organizations still have vulnerabilities within their environments that have had patches available for more than two years. This highlights the lack of improvement in basic cyber hygiene within organizations. Unpatched CVEs, poorly configured Identity and Access Management (IAM) solutions, and other vulnerabilities pose significant risks that attackers can exploit.
One reason for this lack of improvement is the prioritization of remediation efforts based on media coverage. Organizations tend to focus on addressing threats that make headlines rather than addressing more pressing vulnerabilities. The report emphasizes that organizations should prioritize fundamentals such as domain and email security, as 92% of detected exposures fall within these categories.
Another significant challenge highlighted in the report is the prevention of data exfiltration. The effectiveness of data protection measures has declined over the past year, with data exfiltration risk scores worsening. The complexity and cost associated with implementing Data Loss Prevention (DLP) and Cloud Security Access Broker (CSAB) solutions contribute to this decline. Additionally, the reliance on cloud storage platforms makes it difficult to restrict access without hindering business operations.
Despite these challenges, the report indicates that email restrictions have effectively prevented data exfiltration. Organizations are increasingly leveraging native and third-party solutions to restrict the sharing of data via email. While social engineering tactics, such as Business Email Compromise (BEC) attacks, remain problematic, email protections combined with employee training can enhance the security posture of organizations.
The report also highlights the positive impact of Breach and Attack Simulation (BAS) on reducing overall risk. By comparing data over time, the report finds that regular BAS testing leads to significant improvements in risk reduction. The implementation of BAS shows consistent results across all industries, suggesting a strong correlation between BAS implementation and reduced risk.
Furthermore, the report emphasizes the importance of continuous security validation. It highlights the need for organizations to focus on fundamentals, train employees to recognize signs of social engineering attacks, and implement strong password and patching policies. Policies and training alone are insufficient, and regular security assessments are necessary to ensure that security solutions effectively mitigate current threats.
Carolyn Crandall, Chief Security Advocate and CMO at Cymulate, emphasizes the significance of the report’s findings. With over 30 years of experience in the cybersecurity industry, Crandall stresses the need for organizations to address the same risky behaviors and poor hygiene practices that have persisted for years. By doubling down on fundamentals and continuously assessing security solutions, organizations can effectively reduce risk and make informed cybersecurity decisions.
In conclusion, Cymulate’s 2022 State of Cybersecurity Effectiveness report provides valuable insights into the current state of cybersecurity. It highlights the importance of addressing known vulnerabilities, prioritizing fundamentals, preventing data exfiltration, implementing BAS, and continuously validating security solutions. By focusing on these areas, organizations can enhance their cybersecurity resilience and effectively mitigate risks posed by today’s evolving threat landscape.