A recent SANS survey sent shockwaves through the cybersecurity world, even as reports of massive phishing scams and ransomware attacks flooded the media, making 2021 arguably the worst year ever based on the statistics – and we are only halfway through this year.
The report reiterated the source of most breaches happens as the result of human errors (employees falling for phishing scams that result in data compromise or credential theft) and said that despite the evidence, few organizations are making real progress in addressing growing threats.
The SANS team surveyed over 1,500 professionals involved in security awareness training and found 75% spend less than half their time on raising awareness among employees, even calling current efforts "part-time" in nature.
2021 marks the sixth release of the SANS Security Awareness Report, and through 2020-2021 the industry witnessed deep and rapid changes in how and where employees work. These changes have caused unprecedented evolution not only in technology we use but how we use it, especially with so many working from home.
"Simply stated," their introduction of the report said, "it has never been more important to effectively create and maintain a cyber-secure workforce and a vibrant security culture."
"Cybersecurity is no longer just about technology but people; managing human risk," said Lance Spitzner, SANS Security Awareness Director and co-author of the report. "Awareness programs enable security teams to do just that by not only guiding how people think about security but how they act, from the Board of Directors on down. This report enables security professionals to make data-driven decisions on how they can most effectively engage the workforce and manage human risk."
Key Findings in the report include:
- Workforce: Over 75% of security awareness professionals are spending less than half their time on security awareness, implying awareness is too often a part-time effort. The data shows that security awareness responsibilities are very commonly assigned to staff with highly technical backgrounds, who may lack the skills needed to effectively engage their workforce in simple-to-understand terms.
- Compensation: The average salary reported was $103,000 USD for security training full-time professionals. However, salaries were found to be higher for those with technical backgrounds, and on average, up to $10,000 less for those with non-technical backgrounds.
- Top Reported Challenges: The two top reported challenges for building a mature awareness program are the lack of time to manage the program and a lack of personnel to work on and implement the program.
- Dedicated Personnel: Awareness programs effectively changing behavior had at least 2.5 FTEs (Full-Time Equivalent) dedicated to helping manage their awareness program. Those impacting culture and having the metrics framework to prove it on average had 3.5 FTEs.
"Security awareness programs have evolved from a limited compliance focus to becoming a key part of an organization's ability to manage human cyber risk," said Dan DeBeaubien, SANS Security Awareness Director and the other co-author of the report. "While security awareness programs are gaining executive support, there is still a long way to go before enough personnel, resources, and tools are allocated to this effort."
"Roughly 10% of organizations out there — represented by our respondents — have someone dedicated full time" to security awareness, Spitzner says. "That is similar to what we have seen over the past surveys, [so] no real change there."
We caught up with Mohie Ahmed, Solutions Architect at Ironsphere, a Privileged Access Management software and solutions company based in New Jersey, and he said, "Making sure security teams have adequate resources to invest in advanced ZTNA and other approaches is mission-critical," Ahmed said. "It is no longer feasible to expect over-taxed IT and OT teams to approach increasingly sophisticated attackers manually. Intelligence, automation, user-friendly tools, reporting, and more not only make it easier to keep assets safer but also assist in the audits performed in regulated industries."
The SANS report confirmed that security awareness programs are supported by the C-Suite – CEOs, CIOs, CISOs, and board Chairmen and board members. That said, the authors of the report say CFOs and others in the finance group have been the biggest blockers to progress.
"We are seeing a dramatic shift in this pattern, and today within our client base, which expanded 67% in 2021, CFOs are playing a lead role given the proven breaches or compliance failures," Ahmed said. "Once they understand the whole picture and look at cybersecurity in the context of a fulsome risk management posture, they embrace and advocate for better solutions, which their CIO and IT/OT teams greatly appreciate."
Privileged Access Management (PAM) solutions protect enterprises and organizations from risk in many ways, and given the rise of internal and external attacks on infrastructure, applications and data, PAM is no longer a "nice to have" – it is a "must have" Ahmed explained.
"PAM software is frequently used as an information security and governance tool to prevent data breaches and attacks through privileged accounts. IT managers and network administrators must efficiently secure access, control configurations, and log all activities in the data center or network infrastructure, where any failure to access privileged accounts could result in a material impact on business continuity."
Ahmed said PAM solutions consistently protect management accounts, control privileged user access, enforce segregation of duties, log user sessions and activities, provide accounting, compliance auditing, and operational efficiency.
"We now have ample evidence that PAM helps to prevent security breaches, which have been documented to cost from $4M to $400M, depending on the number of records compromised and the value of the related data," Ahmed said.
Historically, organizations have invested in software and hardware-focused on securing the perimeter of their networks, but today PAM plays a critical role in protecting assets and mitigating risk, given that 81% of all data breaches in 2019 were linked to lost or stolen user credentials, and 43% of successful breaches were linked to internal actors, according to the Verizon (News - Alert) Data Breach Investigations Report (DBIR), a trend that continued through 2020 according to the DBI 2021.
"Today's organizations are faced with increasing challenges, given the explosion of growth in remote workers and the expansion of the use of third-party IT managed service providers and other tech partners requiring remote access," Ahmed summarized. "With a majority of data breaches attributed to employees and third-party vendors, securing remote access is essential, as is ensuring only those who need to access resources can access those resources, and that the process for tracking and governing privileged accounts occurs in real-time, leveraging automation and advanced, cloud-ready PAM solutions."
Edited by Luke Bellos