Sophos findings for Asia Pacific and Japan in its global survey, “The IT Security Team: 2021 and Beyond,” show how increased security challenges during the pandemic offered IT teams a unique opportunity to build their cybersecurity expertise.
The vast majority of IT teams in Singapore who faced a rise in cyberattacks (68%) and a heavier security workload (70%) over the course of 2020, reported having strengthened their security skills and knowledge. Despite the challenges created by the pandemic, 47% of the IT teams surveyed in Singapore said team morale increased during 2020.
The increase in cyberattacks during the pandemic impacted IT security skills across all industry sectors covered in the survey, including education (83%), retail (85%) and healthcare (80%) globally.
The survey polled 5,400 IT decision makers in mid-sized organisations in 30 countries across Europe, the Americas, Asia-Pacific and Central Asia, the Middle East, and Africa.
“IT professionals played a vital role in helping organisations to keep going despite the restrictions and limitations necessitated by COVID-19,” said Chester Wisniewski, principal research scientist, Sophos.
“Among other things, they enabled education institutions to move learning online, retailers to switch to online transactions, healthcare organisations to deliver digital services and care under incredibly tough circumstances, and ensured public entities could continue to provide essential services.
“Much of this will have been done at high speed, with limited equipment and resources available and while facing a rising tide of cyberattacks against the network, endpoints and employees. To say things were probably pretty stressful for most IT teams is an understatement.
“However, the survey shows that in many cases these challenges have created not just more highly skilled, but more motivated IT teams, ready to embrace an ambitious future,” he continued.
“Planning ahead post-pandemic, we have an excellent opportunity to implement new IT and security policies, adopt more secure modern tools to manage employees and operations beyond the IT perimeter, build expert teams that blend in-house and out-sourced talent, and introduce security platforms that combine intelligent automation with human threat hunting expertise.”
The main findings of “The IT Security Team: 2021 and Beyond” survey for the APJ region include:
- Demands on IT teams increased as technology became the key enabler for dispersed and digital organisations. Overall IT workload (excluding security) increased for 62% of IT teams, while 66% experienced an increase in cybersecurity workload
- Adversaries were quick to take advantage of the opportunities presented by the pandemic: 60% of IT teams overall reported an increase in the number of cyberattacks targeting their organisation and 65% said the attacks were too advanced for the organisation’s IT team to deal with on their own.
Globally, the challenge was most acute in the business and professional services sector (63%)
- The increased security workload and a rise in the number of cyberattacks enabled IT teams to build their cybersecurity skills and knowledge. 72% of IT teams increased their ability to develop cybersecurity skills and knowledge.
It is likely that much of this professional development will have been informal on-the-job learning, acquired as teams tackled advanced threats and attacks, as well as new technology and security demands, often under intense pressure and remote from their normal place of work.
Globally, retail was the sector most able to increase cybersecurity skills and knowledge (77%), followed by education (75%)
- Facing challenges together boosted team morale. More than half (59%) of the IT teams surveyed said team morale increased over the course of 2020. In many cases, morale appeared to increase in line with heavier workload and more intense attacks.
Globally, ransomware victims were considerably more likely to have experienced an increase in team morale than those that weren’t hit (60% versus 47%.) Morale is also likely influenced by external and personal circumstances during the pandemic, such as local lockdowns, the inability to see family and other factors. Regardless, the findings suggest that a shared purpose, a sense of value and facing adversity together helped to bond and lift the spirits of IT teams
- The experiences of 2020 have fuelled ambitions for bigger IT teams and using advanced tools such as artificial intelligence (AI) in future technology strategies. Many organisations appear to have entered 2021 with plans to increase the size of both in-house and outsourced IT teams, and to embrace the potential of advanced tools and technologies.
The survey found that 63% of IT teams in APJ anticipate an increase in in-house IT security staff by 2023, and 55% expect the number of outsourced IT security staff to grow over the same time frame. An overwhelming majority (86%) expect AI to help deal with the growing number and/or complexity of threats. This could be due in part to the fact that 65% of APJ IT teams believe that cyberattacks are now too advanced for the in-house team to tackle on their own.
Best Practices to defend against cyberattacks
Sophos recommends the following best practices to help defend against ransomware and related cyberattacks:
At a strategic level:
- Deploy layered protection. As more ransomware attacks begin to involve extortion, backups remain necessary, but insufficient. It is more important than ever to keep adversaries out in the first place, or to detect them quickly, before they cause harm. Use layered protection to block and detect attackers at as many points as possible across an estate
- Combine human experts and anti-ransomware technology. The key to stopping ransomware is defense-in-depth that combines dedicated anti-ransomware technology and human-led threat hunting. Technology provides the scale and automation an organization needs, while human experts are best able to detect the tell-tale tactics, techniques and procedures that indicate an attacker is attempting to get into the environment. If organisations don’t have the skills in house, they can enlist support from cybersecurity specialists
At a day-to-day tactical level:
- Monitor and respond to alerts. Ensure the appropriate tools, processes, and resources (people) are available to monitor, investigate and respond to threats seen in the environment. Ransomware attackers often time their strike during off-peak hours, at weekends or during the holidays, on the assumption that few or no staff are watching
- Set and enforce strong passwords. Strong passwords serve as one of the first lines of defense. Passwords should be unique or complex and never re-used. This is easier to accomplish with a password manager that can store staff credentials
- Use Multi Factor Authentication (MFA). Even strong passwords can be compromised. Any form of multifactor authentication is better than none for securing access to critical resources such as e-mail, remote management tools and network assets
- Lock down accessible services. Perform network scans from the outside and identify and lock down the ports commonly used by VNC, RDP, or other remote access tools. If a machine needs to be reachable using a remote management tool, put that tool behind a VPN or zero-trust network access solution that uses MFA as part of its login
- Practice segmentation and zero-trust. Separate critical servers from each other and from workstations by putting them into separate VLANs as you work towards a zero-trust network model
- Make offline backups of information and applications. Keep backups up to date, ensure their recoverability and keep a copy offline
- Inventory your assets and accounts. Unknown, unprotected and unpatched devices in the network increase risk and create a situation where malicious activities could pass unnoticed. It is vital to have a current inventory of all connected compute instances. Use network scans, IaaS tools, and physical checks to locate and catalog them, and install endpoint protection software on any machines that lack protection
- Make sure security products are correctly configured. Under-protected systems and devices are vulnerable too. It is important that security solutions are configured properly and to check and, where necessary, security policies are validated and updated. New security features are not always enabled automatically. Don’t disable tamper protection or create broad detection exclusions as doing so will make an attacker’s job easier
- Audit Active Directory (AD). Conduct regular audits on all accounts in AD, ensuring that none have more access than is needed for their purpose. Disable accounts for departing employees as soon as they leave the company
- Patch everything. Keep Windows and other operating systems and software up to date. This also means double checking that patches have been installed correctly and are in place for critical systems like internet-facing machines or domain controllers.