Royal Mail, the UK Electoral Commission, genetics firm 23andMe, Microsoft: just some of the brands and organisations to suffer major cyber attacks in the past year. Global research that we’ve just carried out at Fastly reveals that the increasingly complex threat landscape is a big concern for cybersecurity professionals (35%) over the last 12 months, and even more (37%) feel this will continue to drive threats in the coming year.
Security teams are understandably focused on the particular threats they are most at risk from. Our research shows that the most common attacks this year were ransomware – experienced by 29% of businesses, DDoS (28%) and attacks related to open source software (25%), followed by social engineering (22%) and API/web application-related attacks (20%). As varied as these threats are, they really only scratch the surface of a broad and ever-changing array of methods criminals can tailor to their targets. Certain sectors are more susceptible to particular types of cyber attacks, for example media and entertainment companies are more likely to be targeted for social engineering attacks. However, another worrying trend is the overall increase in alarm about bad actors using social engineering attacks like ransomware as a way of gaining access to organisations’ data and finances. Twenty nine per cent of organisations flagged this as a priority threat compared with 23% in 2022.
Boosting defences by increasing cybersecurity headcount is one obvious way to deal with the increasingly sophisticated cybersecurity threats; our survey revealed that 48% of businesses increased their spend on new talent over the last year. However, only 36% feel these hires possess the necessary skills to protect the business. Meanwhile, nearly half of cybersecurity professionals surveyed are worried about the ability of their existing talent pool to deal with threats arising from emerging technologies.
In summary, cybersecurity teams are under more pressure than ever before to combat a growing range of increasingly sophisticated security threats, while feeling less resourced than ever to be able to do so. Here are four ways for companies to square the circle and ensure cybersecurity teams are adequately equipped for future cyberattacks:
Prioritise cross-organisational security
When facing a wide range of threats, it’s important to equip as much of the business as possible to meet these challenges. This requires a twofold process of hiring the right experts and ensuring internal security processes are up to standard. Recruitment can be complicated in cybersecurity – a third of team leaders felt that security issues in the last 12 months were directly attributable to the talent shortage. What’s more, the skills cybersecurity teams require, have to flex to match the developing threat landscape. Because of this, it’s best to focus hiring practices around talent that understands emerging technologies. Cybersecurity experts agree: over a third (36%) of businesses we surveyed say that high-quality recruitment tops their investment wishlists in the coming year.
In terms of shoring up internal security processes, businesses need to be rigorous with training and establish clear security protocols for employees to follow in the event of a cyber attack. Given the increase in social engineering attacks, training plans should be reinforced across the entire organisation to make sure that all employees recognise the signs of an ongoing threat and can take appropriate action.
Move cybersecurity accessibility up the agenda
As we have seen, an organisation’s security posture is not just down to the experts, security strategies must involve all employees in protecting the business. In view of this, accessibility plays a key role in making the overall business more secure. If regular workers don’t understand their role in preventing cyber attacks or are unable to use the cybersecurity tools at their disposal, they can be much more easily targeted and leave the business more vulnerable. Struggles with the transition to hybrid work have highlighted the urgency of accessibility as 78% of security professionals believe hybrid workers are more difficult to secure. For this reason, it’s encouraging to see that 35% of security professionals aim to make cybersecurity more accessible in order to meet usability requirements and boost their cybersecurity posture.
Embrace a Secure by Design approach
It’s tempting for cybersecurity teams to throw money at the issue of shoring up teams to combat growing cybersecurity teams – in fact 76% of cybersecurity professionals plan to do just that by increasing cybersecurity spending in the next 12 months. Secure by Design is an alternative solution to spiralling cybersecurity expenditure. This mindset involves designing security into the core of any project right from the outset. Addressing and preparing for security hazards when designing a product or system, shifts the need for human action further away from the stack, which means that security success does not need to rely on human perfection to succeed. There are two ways to embrace a Secure by Design approach. The first is through solutions that eliminate hazards and the second is via solutions that reduce hazards. Eliminating hazards is all about ensuring solutions don’t rely on human behaviour. For example, isolating access to financial data in payment apps by using a more modular application architecture removes hazards for security teams rather than making them act on them.
Reducing hazard by design is about identifying problems and choosing safe, reliable technologies and methods to build each component of the cybersecurity architecture. This could include avoiding using code in languages lacking memory safety like C or C++. Instead, reducing hazard by design would involve isolating unsafe code or refactoring systems into a memory safe language. This approach ensures the stack is built with security in mind, reducing the unnecessary costs of a reactive strategy.
Leverage generative AI to develop training programmes
Generative AI is viewed as a bit of a mixed blessing by survey respondents with over a third (37%) looking to define a new security approach as it relates to generative AI. More positively, generative AI can be leveraged as a tool to counteract the strain on security teams. Nearly half (43%) of security professionals recognise this and expect a productivity boost as the technology is more widely adopted. One area where cybersecurity professionals expect generative AI to have a big impact is in training and development, with generative AI’s content development potential coming to the rescue of security professionals tasked with writing training programmes. Our survey revealed that the implementation of generative AI-created training programmes will become more prevalent within the industry. In fact, 36% of security professionals predict that generative AI will allow them to train their colleagues more effectively in cybersecurity basics. This development will offer them significant support when it comes to fostering security-first mindsets throughout organisations. Small wonder that 42% of security professionals believe that, deployed correctly, AI is likely to be an effective tool when it comes to protecting their businesses.
Failing to prepare is preparing to fail
Security teams don’t need to spend wildly to combat the growing danger from cyber attacks. By prioritising cross-organisational security and accessibility, embracing Secure by Design and using generative AI for training, companies can implement security resilience through the entire organisation. This approach equips security teams to prove their value beyond the point of an actual attack. That said, the numbers show that bad actors are only getting better, so the time for action is now.
Sean Leach is VP of Technology at Fastly, where he focuses on driving the product and technology strategy, security and network research, as well as evangelizing Fastly globally. He joined Fastly in 2014, building out the Security and Product organizations. He also launched the Compute product line and led the vision and strategy for the Signal Sciences acquisition.
Sean was previously the CTO of Verisign’s Security business, where he provided vision and strategic direction along with product and technical architecture. Sean worked with the technology leadership team at Verisign to foster and create new products and services across the entire company, including productizing the various technology and research projects within Verisign Labs. In addition, he was the primary evangelist for the company, frequently speaking at various industry events and with reporters, analysts and customers.
Previous to that, Sean led technology and engineering at UltraDNS before selling the business to Neustar. Post acquisition Sean led product and technology as well as evangelism for Neustar’s Infrastructure and Security business.