Trend Micro Incorporated has announced the findings of a new global study indicating that organizations are struggling to define and secure an expanding cyber-attack surface, hampering risk management efforts.
The study revealed that three-quarters (73%) of global organizations are worried about their growing attack surface. Over a third (37%) said it is “constantly evolving and messy,” with only half (51%) able to fully define its extent.
Over two-fifths (43%) of respondents went further, admitting the digital attack surface is “spiraling out of control.”
Visibility challenges appear to be the main reason organizations are struggling to manage and understand cyber risk in these environments.
Almost two-thirds (62%) said they have blind spots that hamper security, with cloud environments cited as the most opaque. On average, respondents estimated having just 62% visibility of their attack surface.
These challenges are multiplied in global organizations. Two-thirds (65%) of respondents claimed that being an international enterprise that spans multiple jurisdictions makes managing the attack surface harder.
Yet a quarter (24%) are still mapping their systems manually and 29% do so regionally—which can create further silos and visibility gaps.
“IT modernization over the past two years was a necessary response to the ravages of the pandemic, but in many cases it unwittingly expanded the digital attack surface, giving threat actors more opportunities to compromise key assets,” said Bharat Mistry, Technical Director at Trend Micro. “
A unified, platform-based approach is the best way to minimize visibility gaps, enhance risk assessments and improve protection across these complex, distributed IT environments.”
The study also revealed that over half (54%) of global organizations don’t believe their method of assessing risk exposure is sophisticated enough. This is borne out in other findings:
- Only 45% have a completely well-defined way to assess risk exposure
- More than a third (35%) only review/update their exposure monthly or less frequently
- Just 23% review risk exposure daily
- Keeping up to date with the ever-changing attack surface is the top area organizations struggle with
Significant impact on ICS/OT environments
Research announced just a day before had revealed that 89% of electricity, oil & gas, and manufacturing firms have experienced cyber-attacks impacting production and energy supply over the past 12 months.
“Across the globe, industrial locations are going digital to drive sustainable growth. But this has invited a deluge of threats which they are ill-equipped to mitigate, causing major financial and reputational damage,” said William Malik, vice president of infrastructure of strategies at Trend Micro.
“Managing these heavily networked IT and OT environments effectively requires an experienced partner with the foresight and breadth of capabilities needed to deliver best-in-class protection across both environments.”
The findings come a year after the Colonial Pipeline ransomware attack, which forced OT systems at the provider offline for several days, leading to major fuel shortages up and down the US East Coast. It is still the largest critical infrastructure (CNI) attack of its kind.
Around half of the industrial sector organizations affected by CNI attacks made efforts to improve cybersecurity infrastructures but do not always have sufficient resources or knowledge in place to defend against future threats.
Of the responding organizations that suffered cyber disruption to their operational technology and industrial control systems (OT/ICS), the average financial damages amount to approximately $2.8 million, with the oil & gas industry suffering the most.
Almost three-quarters (72%) of respondents admitted they experienced cyber disruption to their ICS/OT environments at least six times during the year.
The research also found that:
- 40% of respondents could not block the initial attack
- 48% of those who say there have been some disruptions do not always make improvements to minimize future cyber risks.
- Future investments in cloud systems (28%) and private 5G deployments (26%) were the top two drivers of cybersecurity among respondents.
- The OT security function tends to be less mature than IT on average in terms of risk-based security.
The addition of cloud, edge, and 5G in the mixed IT and OT environments has rapidly transformed industrial operations and systems. Organizations must stay ahead of the curve and take security measures to protect business assets. Improving risk and threat visibility is a curtail first step to a secure industrial cloud and private network.
