Most Cyber Attacks Are Preventable, Says Tanium

The vast majority of cyberattacks suffered by UK organisations are avoidable, but IT departments are struggling to acquire the needed skills and funding approvals from senior management.

This is according to endpoint security specialist Tanium, which published new research based on an UK online survey with IT security decision makers at organisations (including public sector, financial services, healthcare, and retail) with 250 or more staff.

The research comes after UK delivery giant Yodel confirmed this week it had suffered a “cyber incident” that was impacting customer deliveries.

Preventable attacks

The Tanium study entitled “Cybersecurity: Prevention Is Better than the Cure” revealed that 92 percent of UK organisations have experienced a cyber attack in the last 24 months.

Additionally, 90 percent of IT security professionals whose organisation has experienced a cyber attack agreed that the majority of attacks experienced had been avoidable in some way.

The study also found that 86 percent of organisations compromised by a breach in the last six months believed that more investment in preventative measures (such as tools or staff training), would have minimised incidents.

But IT departments are struggling to implement preventative measures because of a shortage of technical skills and budget-allocation delays from boards of directors.

Indeed, 86 percent of respondents who experienced a cyber attack in the past six months agreed that the board of directors only approves new cybersecurity funding after the incident has taken place.

Depressingly, the study also found that 75 percent of respondents stated that “some cybersecurity incidents needed to happen” in order to get increased investment from leadership.

“Many organisations focus too much on cybersecurity point solutions like antivirus, rather than adopting a holistic, data-driven approach to prevention,” said Oliver Cronk, chief architect, EMEA, at Tanium.

“As our research shows, many damaging security incidents – even those resulting from more sophisticated attack vectors – could have been prevented,” said Cronk. “In fact, more than half of the breaches we see could have been avoided by maintaining baseline cyber-hygiene standards.”

“The current situation is the equivalent of leaving your front door and windows open and only locking them after a burglary has taken place,” said Cronk.

The Tanium research found that 92 percent of organisations surveyed have experienced a breach at some point in the past, 82 percent within the last 24 months, and 73 percent in the last 12 months.

And the respondents believe that the problem is only going to get worse, with 80 percent of C-suite decision makers believing that the risk of cyber threats is increasing and expect 2022 to be the worst year yet in terms of the number of attacks.

Loss of productivity resulting from downtime is cited as the most damaging impact of a cyber attack (56 percent of all respondents).

Preventative approaches

Almost seven in ten respondents recognised that a predominantly preventative approach to cybersecurity is best (68 percent); whereas only 32 percent favour a primarily reactive approach.

The challenges for IT departments is clear, as IT teams are having to contend with skills gaps and overwhelmed departments, which in turn results in preventative security measures taking a lower priority.

More than half of organisations (55 percent) agree that there is insufficient staff or resources to focus on preventative security measures.

The Tanium study also found that 85 percent of all respondents surveyed agreed that there is a greater cost to recover from a cybersecurity incident than to prevent one.

Cyber hygiene

Tanium advised that a crucial element of preventative strategies is cyber hygiene, which refers to a set of habitual practices that help to secure networks and data.

For example, consistent and timely patching is a fundamental element of a sound cybersecurity posture.

But to be effective, organisations need to understand where vulnerabilities exist and have the ability to address them quickly and easily.

But it seems that companies are not learning lessons.

Back in 2019, a Tanium study found that the vast majority of IT teams opt to hold off installing important security updates or patches.

35 percent of respondents in 2019 cited pressure to keep the lights on, whilst almost a third (31 percent) suggested they were hamstrung by legacy IT commitments, which restricts their security efforts.

And nearly a third (30 percent) said that a focus on implementing new systems takes precedence over protecting existing business assets, and over a quarter (28 percent) stressed that inconsistent and incomplete datasets was a key driver.